WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Defending users of unprotected login pages with TrustBar 0.4.9.93

From: Amir Herzberg <herzbea () macs biu ac il>
Date: Mon, 19 Sep 2005 13:38:43 +0200
Most financial and other sensitive web sites use SSL/TLS to authenticate the server and protect data from eavesdropping and from modification by a Man In The Middle (MITM) adversary.
However, quite a few of these sites invoke SSL/TLS only _after_ user has typed in her user name and pw, and clicked `submit`. This allows a MITM adversary to send a modified login page to the user, which sends the pw to the attacker (rather than encrypting it and sending to the site). See below link to a `Hall of Shame (HoS)` listing such sites.
There are few things we can do about this. We can try to convince these sites to use SSL/TLS _before_ asking for userid and pw; I tried, and few fixed, but most did not. We can avoid using these sites, but this is a bit heavy penalty e.g. if it is your bank. We can also try to find an alternate login page which _is_ protected; in fact, we've found such alternate, protected sites for most ebanking login sites (see HoS). But this may be difficult for most (naive) users.
So, we decided to add support for users of these unprotected sites in TrustBar. As of the latest version (0.4.9.93), available off my site (below), we added two such mechanisms:
1. TrustBar will automatically download from our own server, periodically, a list of all of the unprotected login sites, including any alternate protected login pages we are aware of. By default, whenever a user accesses one of these unprotected pages, she will be automatically redirected to the alternate, protected login page.
2. TrustBar allows users to assign a name or a logo to sites, protected or not (to help users identify fake sites). We now added a mechanism computes a hash of every unprotected site for which the user has assigned name/logo. TrustBar compares this hash on subsequent accesses to the same site. If the site is not modified in five subsequent accesses, TrustBar begins displaying `Same since <date>`; and when the site changes, TrustBar displays a warning. This can help users notice a fake version of their login page. Unfortunately, this mechanism does not work very well on most real-life login pages, since most of them contain a tiny bit of frequently-changing data such as date or `random` identifiers (mostly to identify a cookie-less client, we think). We are working on improving the mechanism so it will be tolerant to such tiny changes, without exposing the user to malicious changes.
Please try it and tell us what you think of TrustBar in general and these features specifically. If you like it, please inform others, to protect them, help convince browsers to incorporate such features, and - last but not least for us - help us obtain more experimental data in our research on secure usability. Thanks!
BTW, TrustBar is an open-source project, so if some of you want to provide it to your customers, possibly customized (branded) etc., there is no licensing required. 
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame
Previous By Date Next
Previous By Thread Next

Current thread: