Skip to main content
SpringerLink
Log in

Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures

  • Conference paper
Information Security Practice and Experience (ISPEC 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3439))

Abstract

Today the standard means for secure transactions in the World Wide Web (WWW) are the SSL/TLS protocols, which provide secure (i.e., private and authentic) channels between browsers and servers. As protocols SSL/TLS are considered secure. However, SSL/TLS’s protection ends at the “transport/session layer” and it is up to the application (here web browsers) to preserve the security offered by SSL/TLS.

In this paper we provide evidence that most web browsers have severe weaknesses in the browser-to-user communication (graphical user interface), which attackers can exploit to fool users about the presence of a secure SSL/TLS connection and make them disclose secrets to attackers. These attacks, known as “Visual Spoofing”, imitate certain parts of the browser’s user interface, pretending that users communicate securely with the desired service, while actually communicating with the attacker. Therefore, most SSL/TLS protected web applications can not be considered secure, due to deficiencies in browser’s user interfaces.

Furthermore, we characterise Visual Spoofing attacks and discuss why they still affect today’s WWW browsers. Finally, we introduce practical remedies, which effectively prevent these attacks and which can easily be included in current browsers or (personal) firewalls to preserve SSL/TLS’s security in web applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Freier, A.O., Kariton, P., Kocher, P.C.: The SSL Protocol: Version 3.0. Internet draft, Netscape Communications (1996)

    Google Scholar 

  2. Dierks, T., Allen, C.: The TLS protocol version 1.0. Internet Request for Comment RFC 2246, Internet Engineering Task Force, Proposed Standard (1999)

    Google Scholar 

  3. Schneier, B., Wagner, D.: Analysis of the SSL 3.0 protocol. In: Proceedings of the 2nd USENIX Workshop on Electronic Commerce. USENIX Press, Oakland (1996)

    Google Scholar 

  4. Ornaghi, A., Valleri, M.: Man in the middle attacks Demos. In: BlackHat Conference, USA (2003)

    Google Scholar 

  5. Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web Spoofing: An Internet Con Game. In: Proceedings of the 20th National Information Systems Security Conference, Baltimore, USA (1997)

    Google Scholar 

  6. Zishuang Eileen Ye, Y.Y., Smith, S.: Web Spoofing Revisited: SSL and Beyond. Technical report tr2002-417, Dartmouth PKI Lab (2002)

    Google Scholar 

  7. Li, T.Y., Yongdong, W.: Trust on Web Browser: Attack vs. Defense. In: Proceedings of the International Conference on Applied Cryptography and Network Security, Kunming, China (2003)

    Google Scholar 

  8. Herzberg, A., Gbara, A.: Protecting (even) NaiveWeb Users, or: Preventing Spoofing and Establishing Credentials of Web Sites. Internet draft, Bar Ilan University, Computer Science Department (2004)

    Google Scholar 

  9. Anti Phishing Working Group: Phishing Attack Trend Report – (July 2004), http://www.antiphishing.org

  10. Litan, A.: Phishing Victims Likely Will Suffer Identity Theft Fraud. Gartner Research Note (May 14, 2004)

    Google Scholar 

  11. Adelsbach, A., Gajek, S., Schwenk, J.: Visual spoofing toolbar (2004) http://www.nds.rub.de/forschung/gebiete/UI/VS/download/visualspoofingtoolbar.exe

  12. Adelsbach, A., Gajek, S., Schwenk, J.: Visual Spoofing Demonstrator based on DHTML (2004), http://134.147.40.90 , Username:visual, Password:spoofing

  13. Heise News Ticker: eBay konnte Passwortklau nicht verhindern (December 23, 2004), http://www.heise.de/security/news/meldung/print/54605

  14. Ye, Z.E., Smith, S.: Trusted Paths for Browsers. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, USA (2002)

    Google Scholar 

  15. Mozilla.org: weak XUL security allows chrome UI spoofing (phishing attack) bug.cgi?id=252198 (2004), https://bugzilla.mozilla.org/show

  16. Tygar, J.D., Whitten, A.: WWW Electronic Commerce and Java Trojan Horses. In: Proceedings of the 2nd USENIX Workshop on Electronic Commerce. USENIX Press, Oakland (1996)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT Security, Ruhr Universität Bochum, Germany

    Andre Adelsbach, Sebastian Gajek & Jörg Schwenk

Authors
  1. Andre Adelsbach
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Gajek
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Systems, Singapore Management University, Singapore

    Robert H. Deng

  2. Institute for Infocomm Research, 119613, Singapore

    Feng Bao

  3. School of Information Systems, Singapore Management University,  

    HweeHwa Pang

  4. Cryptography and Security Department Institute for Infocomm Research, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Adelsbach, A., Gajek, S., Schwenk, J. (2005). Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2005. Lecture Notes in Computer Science, vol 3439. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31979-5_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-31979-5_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-25584-0

  • Online ISBN: 978-3-540-31979-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation