Many anti-phishing browsers have been implemented till date and some of them include embedding features in browsers, as extensions or toolbars in browsers, and as part of website login procedures. Most websites targeted for phishing are secure, meaning that SSL with strong cryptography is used for server authentication. In theory, it should be possible to confirm the site using the SSL authentication, but in practice, it is easy to fool the user.
The superficial flaw is in the browser's security User Interface (UI) that is insufficient to deal with today's strong threats. There are three parts for secure authentication: indication that the connection is in authenticated mode, the site which the user is connected to and which authority says it is the site that it claims to be.
Secure Connection: The user easily misses the padlock that was the standard display for secure browsing from the mid-1990s to mid 2000s. Mozilla featured a yellow URL bar in 2005 as a better indication that the connection is secure. However, unfortunately, this innovation was then reversed due to the EV Certificates, which replaced high value certificates with a green display and the rest with a white display.
Which Site: The user is expected to confirm that the domain name in the browser's URL bar is in fact where they wanted to go. Users can be too complex to be passed and users often do not know or recognize the URL they intend going making authentication meaningless. Many e-commerce sites will change the domain names within the overall set of websites making it harder for the user to trace himself. Also simply displaying the domain name of the visited website as some anti-phishing toolbars do is not sufficient.
Firefox offers an alternative- a pet name extension which lets users type in their own labels for websites that they can recognize when they later return to the website. In addition, if the site is not recognized then the software warns the user or detects it outright. This symbolizes the user-centric identity management of the server. A graphical image selected by a user could be a better identification.
With the introduction of EV Certificates, browsers display the organization's name in green making it more visible ad hopefully more consistent with the user's expectations. But then the browser vendors have limited this display to only EV Certificates, leaving the user groping in the dark for other certificates.
Who is the Authority As far as the user is concerned the browser is the authority at the simplest level since no authority is stated at this stage. The current practice is for the browser vendors to control a root list of acceptable CA s the problem is that all Certification Authorities (CA s) employ neither good nor applicable checking. In addition, neither do all CA s subscribe to the same model and concept that certificates are only about authenticating web sites or e-commerce organizations. Certificate Manufacturing is the term given to low value certificates that are delivered on a credit card and an email confirmation, which can be easily perverted by fraudsters. Thus, a valid certificate issued by another CA may spoof a high value site. This could happen because the CA is in another part of the world and it is unfamiliar with high value e-commerce sites. Nevertheless, since the CA is charged with protecting its own customers and not the customers of another CA there is an inherent flaw in this model.
The solution to the above problem is that the browser should show and the user should be familiar with the name of the authority that issues the certificate. This projects the CA as a brand and allows the user to come in contact with the handful of CA s in her country. The use of brand provides the CA with an incentive to improve their checking and the user will demand good checking for high value sites.
This solution was put into action in early versions of IE7 when displaying EV Certificates here the issuing CA was displayed. Nevertheless, this turns out to be an isolated case. There is resistance for branding CA s on the chrome resulting in a fallback to the simplest level above: the browser is the user's authority.
The superficial flaw is in the browser's security User Interface (UI) that is insufficient to deal with today's strong threats. There are three parts for secure authentication: indication that the connection is in authenticated mode, the site which the user is connected to and which authority says it is the site that it claims to be.
Secure Connection: The user easily misses the padlock that was the standard display for secure browsing from the mid-1990s to mid 2000s. Mozilla featured a yellow URL bar in 2005 as a better indication that the connection is secure. However, unfortunately, this innovation was then reversed due to the EV Certificates, which replaced high value certificates with a green display and the rest with a white display.
Which Site: The user is expected to confirm that the domain name in the browser's URL bar is in fact where they wanted to go. Users can be too complex to be passed and users often do not know or recognize the URL they intend going making authentication meaningless. Many e-commerce sites will change the domain names within the overall set of websites making it harder for the user to trace himself. Also simply displaying the domain name of the visited website as some anti-phishing toolbars do is not sufficient.
Firefox offers an alternative- a pet name extension which lets users type in their own labels for websites that they can recognize when they later return to the website. In addition, if the site is not recognized then the software warns the user or detects it outright. This symbolizes the user-centric identity management of the server. A graphical image selected by a user could be a better identification.
With the introduction of EV Certificates, browsers display the organization's name in green making it more visible ad hopefully more consistent with the user's expectations. But then the browser vendors have limited this display to only EV Certificates, leaving the user groping in the dark for other certificates.
Who is the Authority As far as the user is concerned the browser is the authority at the simplest level since no authority is stated at this stage. The current practice is for the browser vendors to control a root list of acceptable CA s the problem is that all Certification Authorities (CA s) employ neither good nor applicable checking. In addition, neither do all CA s subscribe to the same model and concept that certificates are only about authenticating web sites or e-commerce organizations. Certificate Manufacturing is the term given to low value certificates that are delivered on a credit card and an email confirmation, which can be easily perverted by fraudsters. Thus, a valid certificate issued by another CA may spoof a high value site. This could happen because the CA is in another part of the world and it is unfamiliar with high value e-commerce sites. Nevertheless, since the CA is charged with protecting its own customers and not the customers of another CA there is an inherent flaw in this model.
The solution to the above problem is that the browser should show and the user should be familiar with the name of the authority that issues the certificate. This projects the CA as a brand and allows the user to come in contact with the handful of CA s in her country. The use of brand provides the CA with an incentive to improve their checking and the user will demand good checking for high value sites.
This solution was put into action in early versions of IE7 when displaying EV Certificates here the issuing CA was displayed. Nevertheless, this turns out to be an isolated case. There is resistance for branding CA s on the chrome resulting in a fallback to the simplest level above: the browser is the user's authority.
Related Links:
Workers compensation software
No comments:
Post a Comment