Minimizing SSO effort in verifying SSL anti-phishing indicators

IFIP International Federation for Information Processing

Volumn 278, Issue , 2008, Pages 47-61

  Wu, Yongdong ^a   Yao, Haixia ^a   Bao, Feng ^a  

^a INSTITUTE FOR INFOCOMM RESEARCH   (Singapore)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; COMPUTER CRIME;

ANTI-PHISHING; CIPHERTEXTS; ONLINE TRANSACTION; PHISHING ATTACKS; PUBLIC KEYS; SENSITIVE DATAS; SINGLE SIGNON; TRANSACTION PROCESS;

PUBLIC KEY CRYPTOGRAPHY;

EID: 48249105468     PISSN: 15715736     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-0-387-09699-5_4     Document Type: Conference Paper

References (37)

1. Zhensheng Guan, Invited talk in International ICT Security Exhibition & Conference, Guangzhou, China, Nov. 28, 2007.
2. Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach, "Web spoofing: An Internet Con Game," 20th National Information Systems Security Conference, 1997. http://www.cs.princeton.edu/sip/pub/ spoofing.html
3. Serge Lefranc, and David Naccache, "Cut and Paste Attacks with Java," http://eprint.iacr.org/2002/010.ps
4. Evgeniy Gabrilovich, and Alex Gontmakher, "The homograph attack," Communications of ACM, 45(2):128, 2002.
5. Martin Johns, "Using Java in anti DNS-pinning attacks," http://shampoo.antville.org/stories/1566124/,February2007.
6. Avivah Litan, "Phishing Attack Victims Likely Targets for Identity Theft," in Gartner First Take FT-22-8873. 2004, Gartner Research
7. Microsoft. Microsoft security bulletin MS01-017: Erroneous VeriSign-issued digital certificates pose spoofing hazard,March 2001. http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx
8. Tyler Close, "Waterken YURL," http://www.waterken.com/dev/YURL/httpsy/
9. Russell Housley, Warwick Ford, Tim Polk, and David Solo, "Internet X.509 public key infrastructure certificate and Certificate Revocation List (CRL) profile," 2002. http://tools.ietf.org/html/rfc3280
10. V. Benjamin Livshits, and Monica S. Lam, "Finding security vulnerabilities in Java applications using static analysis," USENIX Security Sym., pp.271-286, 2005.
11. Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, and John C. Mitchell, "A Browser Plug-in Solution to the Unique Password Problem," Usenix Security Symposium, 2005.
12. mozilla.dev.security, "VeriSign Class 3 Secure Server CA?," http://groups.google.com/group/mozilla.dev.security/browse_thread/ threa%d/6830a8566de24547/0be9dea1c274d0c5, March 2007.
13. A. Freier, P. Kariton, and P. Kocher, "The SSL Protocol: Version 3.0," Netscape communications, Inc., 1996.
14. Tieyan Li, and Yongdong Wu, "Trust on Web Browser: Attack vs. Defense," First MiAn International Conference on Applied Cryptography and Network Security, LNCS 2846, pp.241-253, 2003.
15. Jeffrey Horton, and Jennifer Seberry, "Covert Distributed Computing Using Java Through Web Spoofing," ACISP, pp.48-57, 1998. http://www.uow.edu.au/jennie/WEB/JavaDistComp.ps.
16. F. De Paoli, A.L. DosSantos, and R.A. Kemmerer, "Vulnerability of Secure Web Browsers," National Information Systems Security Conference, 1997.
17. Batya Friedman, David Hurley, Daniel Howe, Edward Felten, and Helen Nissenbaum, "Users' Conceptions of Web Security: A Comparative Study," Conference on Human Factors in Computing Systems, pp.746-747, 2002.
18. Chris Karlof, Umesh Shankar, J.D. Tygar, and David Wagner, "Dynamic pharming attacks and the locked same-origin policies for web browsers," CCS 2007.
19. Security Space and E-Soft, "Secure Server Survey," http://www.securityspace.com/_survey/sdata/200704/certca.html, May 2007.
20. Stephen Bell, "Invalid banking cert spooks only one user in 300," ComputerWorld New Zealand, http://www.computerworld.co.nz/news.nsf/NL/-FCC8B
21. Rachna Dhamija, J. D. Tygar, and Marti Hearst, "Why phishing works," SIGCHI Conference on Human Factors in Computing Systems, pp.581-590, 2006.
22. Min Wu, Robert C. Miller, and Simson Garfinkel, "Do security toolbars actually prevent phishing attacks?" the SIGCHI Conference on Human Factors in Computing Systems, pp.601-610, 2006.
23. RSA Security Inc, "SecurID product description," http://rsasecurity.com/node.asp?id=1156.
24. Sudhir Aggarwal, Jasbinder Bali, Zhenhai Duan, Leo Kermes,Wayne Liu, Shahank Sahai, and Zhenghui Zhu,"The Design and Development of an Undercover Multipurpose Anti-Spoofing Kit (UnMask)," 23rd Annual Computer Security Applications Conference, 2007.
25. M. Burnside, Blaise Gassend, Thomas Kotwal, Matt Burnside, Marten van Dijk, Srinivas Devadas, and Ronald Rivest, "The untrusted computer prolem and camera-based authentication," International Conference on Pervasive Computing, LNCS 2414, pp.114-124, 2002.
26. Pim Tuyls, Tom Kevenaar, Geert-Jan Schrijen, Toine Staring, and Marten van Dijk, "Visual Crypto Displays enabling Secure Communications," Proceeding of First International Conference on Security in Pervasive Computing, pp.12-14, 2003.
27. Yougu Yuan, Eileen Zishuang Ye, and Sean Smith, "Web Spoofing," 2001. http://www.cs.dartmouth.edu/reports/abstracts/ TR2001-409/
28. Eileen Zishuang Ye, and Sean Smith, "Trusted Paths for Browsers," ACM Transactions on Information and System Security,8(2 ):153-186, 2005.
29. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, and L. Stewart. http Authentication: Basic and Digest Access Authentication, June 1999. http://www.ietf.org/rfc/rfc2617.txt.
30. Rachna Dhamija, and J.D. Tygar, "The Battle Against Phishing: Dynamic Security Skins," Symposium On Usable Privacy and Security (SOUPS) 2005.
31. Andre Adelsbach, Sebastian Gajek, and Jorg Schwenk, "Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures," Information Security Practice and Experience(ISPEC), LNCS 3469, pp.204-216, 2005.
32. Fang Qi, Tieyan Li, Feng Bao, and Yongdong Wu, "Preventing Web-Spoofing with Automatic Detecting Security Indicator," ISPEC, LNCS 3903, pp. 112-122, 2006.
33. Ben Adida, "BeamAuth: Two-Factor Web Authentication with a Bookmark," CCS 2007.
34. Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Boneh, and John C. Mitchell, "Client Side Defense Against Web-based Identity Theft," http://crypto.stanford.edu/SpoofGuard/#publications
35. Ari Juels, Markus Jakobsson, and Tom N. Jagatic, "Cache Cookies for Browser Authentication," IEEE Symp. on Security and Privacy, pp.301-305, 2006.
36. Ari Juels, Markus Jakobsson, and Sid Stamm,"Active Cookies for Browser Authentication," http://www.ravenwhite.com/files/ activecookies-28_Apr_06.pdf.
37. J. H. Saltzer, and M. D. Schroeder, "The protection of information in computer systems," Proceedings of the IEEE, 63(9 :1278-308, Sept. 1975.