Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2012: Information Security pp 86–103Cite as

Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road?

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7483)

Abstract

Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate ten mobile and two tablet browsers, representing over 90% of the market share, using the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. Finally, we use this evidence to argue that the combination of reduced screen space and an independent selection of security indicators not only make it difficult for experts to determine the security standing of mobile browsers, but actually make mobile browsing more dangerous for average users as they provide a false sense of security.

Keywords

  • Expert User
  • Mixed Content
  • Security Indicator
  • Mobile Browser
  • Secondary Interface

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. GoDaddy SSL certificate, http://www.godaddy.com/Compare/gdcompare_ssl.aspx?isc=sslqgo016b

  2. VeriSign certificate, https://www.verisign.com/ssl/buy-ssl-certificates/index.html?sl=t72010166130000002&gclid=CIKMyY2GuKgCFYg32godV2_8Bw

  3. Key words for use in RFCs to Indicate Requirement Levels (March 1997), http://www.ietf.org/rfc/rfc2119.txt

  4. Overflow clickjacking (November 2008), http://research.zscaler.com/2008/11/clickjacking-iphone-style.html

  5. Guidelines for the Processing of EV Certificates, version 1.0 (January 2009), http://www.cabforum.org/Guidelines_for_the_processing_of_EV_certificatesv1_0.pdf

  6. SSLstrip, presented at Black Hat DC (2009), http://www.thoughtcrime.org/software/sslstrip/

  7. Android Browser Exploit (2010), http://threatpost.com/en_us/blogs/researcher-publishes-android-browser-exploit-110810

  8. Guidelines for the Issuance and Management of Extended Validation Certificates, version 1.3 (November 20, 2010), http://www.cabforum.org/Guidelines_v1_3.pdf

  9. W3C: Web Security Context: User Interface Guidelines (August 2010), http://www.w3.org/TR/wsc-ui/

  10. Web-based Android attack (November 2010), http://www.infoworld.com/d/security-central/security-researcher-releases-web-based-android-attack-317?source=rss_security_central/

  11. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, version 1.0 (April 11, 2011), http://www.cabforum.org/Announcement-Baseline_Requirements.pdf

  12. Comodo compromise (April 1, 2011), http://www.csoonline.com/article/678777/comodo-compromise-expands-hacker-talks

  13. DigiNotar CA compromise (August 30, 2011), http://community.websense.com/blogs/securitylabs/archive/2011/08/30/diginotar-ca-compromise.aspx

  14. The CA/Browser forum (April 11, 2011), http://www.cabforum.org/

  15. Android OS market share by version (May 2012), http://developer.android.com/resources/dashboard/platform-versions.html

  16. Mobile Browser Market Share (May 2012), http://gs.statcounter.com/#mobile_browser-ww-monthly-201204-201205

  17. Biddle, R., van Oorschot, P., Patrick, A., Sobey, J., Whalen, T.: Browser interfaces and extended validation SSL certificates: an empirical study. In: Proceedings of the ACM Workshop on Cloud Computing Security (2009)

    Google Scholar 

  18. Boodaei, M.: Mobile users three times more vulnerable to phishing attacks (2011), http://www.trusteer.com/blog/mobile-users-three-times-more-vulnerable-phishing-attacks

  19. Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.: Client-side defense against web-based identity theft. In: Proc. NDSS (2004)

    Google Scholar 

  20. Davies, C.: iPhone Os Safari Vulnerable To DoS Attacks (April 16, 2008), http://www.iphonebuzz.com/iphone-safari-dos-bug-discovered-162212.php

  21. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2006)

    Google Scholar 

  22. Dhamija, R., Tygar, J.: The battle against phishing: Dynamic security skins. In: Proceedings of the Symposium on Usable Privacy and Security (2005)

    Google Scholar 

  23. Downs, J., Holbrook, M., Cranor, L.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security (2006)

    Google Scholar 

  24. Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Intrusion Detection Prevention Web Spoofing: An Internet Con Game. In: 20th National Information Systems Security Conference (1997)

    Google Scholar 

  25. Friedman, B., Hurley, D., Howe, D., Felten, E., Nissenbaum, H.: Users’ conceptions of web security: a comparative study. In: CHI Extended Abstracts on Human Factors in Computing Systems (2002)

    Google Scholar 

  26. Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Transactions on Internet Technology (2008)

    Google Scholar 

  27. Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007)

    CrossRef  Google Scholar 

  28. Livshits, B., Molnar, D.: Empowering Browser Security for Mobile Devices Using Smart CDNs. In: Proceedings of the Workshop on Web 2.0 Security and Privacy, W2SP (2010)

    Google Scholar 

  29. Marlinspike, M.: More Tricks For Defeating SSL in Practice (2009), http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf

  30. Niu, Y., Hsu, F., Chen, H.: iPhish: Phishing Vulnerabilities on Consumer Electronics. In: Usability, Psychology, and Security (2008)

    Google Scholar 

  31. Porter Felt, A., Wagner, D.: Phishing on mobile devices. In: Web 2.0 Security and Privay (2011)

    Google Scholar 

  32. Resig, J.: iPhone overflow clickjacking (November 2008), http://ejohn.org/blog/clickjacking-iphone-attack/

  33. Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The Emperor’s New Security Indicators. In: IEEE Symposium on Security and Privacy (2007)

    Google Scholar 

  34. Sobey, J., Biddle, R., van Oorschot, P.C., Patrick, A.S.: Exploring User Reactions to New Browser Cues for Extended Validation Certificates. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 411–427. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  35. Stebila, D.: Reinforcing bad behaviour: the misuse of security indicators on popular websites. In: Proceedings of the 22nd Conference of the Computer-Human Interaction Special Interest Group of Australia on Computer-Human Interaction (2010)

    Google Scholar 

  36. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: 18th USENIX Security Symposium Crying Wolf: An Empirical Study of SSL Warning Effectiveness. Work (2009)

    Google Scholar 

  37. Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.P.: The inconvenient truth about web certificates. In: The Workshop on Economics of Information Security, WEIS (2011)

    Google Scholar 

  38. Whalen, T., Inkpen, K.: Gathering evidence: use of visual security cues in web browsers. In: Proceedings of Graphics Interface (2005)

    Google Scholar 

  39. Ye, Z.E., Smith, S., Anthony, D.: Trusted paths for browsers. ACM Transactions on Information and System Security (TISSEC) (May 2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Georgia Tech Information Security Center (GTISC), Georgia Institute of Technology, USA

    Chaitrali Amrutkar & Patrick Traynor

  2. School of Computer Science, Carleton University, Ottawa, Canada

    Paul C. van Oorschot

Authors
  1. Chaitrali Amrutkar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Patrick Traynor
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paul C. van Oorschot
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Security in Distributed Applications, University of Technology, Harburger Schlossstrasse 20, 21073, Hamburg, Germany

    Dieter Gollmann

  2. Department of Computer Science, University of Erlangen-Nürnberg, Am Wolfsmantel 46, 91058, Erlangen, Germany

    Felix C. Freiling

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Amrutkar, C., Traynor, P., van Oorschot, P.C. (2012). Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road?. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33383-5_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33382-8

  • Online ISBN: 978-3-642-33383-5

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation