Why Johnny can't surf (safely)? Attacks and defenses for web users

Computers and Security

Volumn 28, Issue 1-2, 2009, Pages 63-71

  Herzberg, Amir ^a  

^a BAR ILAN UNIVERSITY   (Israel)

Author keywords

Network security; Phishing; Secure login; Secure usability; Spoofing; Web security

Indexed keywords

COMPUTER NETWORKS; CRYPTOGRAPHY; INTERNET; NETWORK SECURITY; WEBSITES; WORLD WIDE WEB;

PHISHING; SECURE LOGIN; SECURE USABILITY; SPOOFING; WEB SECURITY;

INTERNET PROTOCOLS;

EID: 57849132173     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2008.09.007     Document Type: Article

References (22)

1. Anti-Phishing Working Group. July phishing activity trends report. Available from: (September 2006).
2. Apostolopoulos G, Peris V, Saha D. Transport layer security: how much does it really cost? In: INFOCOM'99, 18th annual joint conference of the IEEE Computer and Communications Societies; 1999. p. 717-25.
3. Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks. In: Advances in Cryptology - Eurocrypt 2000 Proceedings. Lecture Notes in Computer Science, vol. 1807, Springer, Berlin, 2000. pp. 139-55.
4. Close T. Petname tool: enabling web site recognition using the existing SSL infrastructure. In: W3C workshop on transparency and usability of web authentication, New York City. Available from: ; March 2006.
5. Dhamija R, Tygar JD, Hearst M. Why phishing works. In: Proceedings of the SIGCHI conference on human factors in computing systems, Montreal, Quebec, Canada; 2006. p. 581-90.
6. Dierks T, Rescorla E. The transport layer security {(TLS)} protocol version 1.1, internet request for comment (RFC) number 4346; April 2006.
7. Eastlake J, Reagle J, Solo D. XML-signature syntax and processing, RFC 3275. Also a W3C Recommendation available at: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/; March 2002.
8. Franco R. Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers, published in Microsoft Developer Network's IEBlog, Available from: ; November 21, 2005.
9. Felten EW, Balfanz D, Dean D, Wallach DS. Web Spoofing: An Internet Con Game. Proceedings of the Twentieth National Information Systems Security Conference, Baltimore. Also Technical Report 540-96, Department of Computer Science, Princeton University; October 1997.
10. Gabrilovich E, Gontmakher A. The homograph attack. Communications of the ACM, 2002;45(2).
11. Gasparini LA, Gotlieb CE. Method and apparatus for authentication of users and web sites, US patent number 7100049, filing date: May 9, 2003, issue date: Aug 29, 2006.
12. Herzberg A, Jbara A. Security and Identification Indicators for Browsers against Spoofing and Phishing Attacks, ACM Transactions on Internet Technology (TIOT), Sept. 2008. Earlier version: Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites published as DIMACS Technical Report 2004-23, May 2004.
13. Jackson C, Simon D, Tan D, Barth A. An evaluation of extended validation and picture-in-picture phishing attacks. In: Usable security (USEC'07). Available from: ; 2007.
14. Rescorla E. SSL and TLS: designing and building secure systems (2000), Addison-Wesley
15. Ross B, Jackson C, Miyake N, Boneh D, Mitchell JC. Stronger password authentication using browser extensions. In: Proceedings of the 14th conference on USENIX Security Symposium, July 31-August 05, 2005, Baltimore, MD; 2005. p. 2-2.
16. Salowey J., Zhou H., Eronen P., and Tschofenig H. Transport layer security session resumption without server-side state, RFC 4507 (May 2006), Networking Working Group, Internet Engineering Task Force (IETF)
17. Schechter S, Dhamija E, Ozment A, Fischer I. The emperor's new security indicators. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 51-65, May 2007.
18. Whitten A, Tygar JD. Why Johnny can't encrypt: a usability case study of PGP 5.0. In: Proceedings of the eighth USENIX security symposium; August 1999.
19. Wu M, Miller RC, Garfinkel SL. Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI conference on human factors in computing systems, Montreal, Quebec, Canada; 2006. p. 601-10.
20. Ye Z, Yuan Y, Smith S. Web Spoofing Revisited: SSL and Beyond. Tech. Rep. Department of Computer Science, Dartmouth College, TR2002-417; 2002.
21. Ye Z.T., Smith S., and Anthony D. Trusted paths for browsers. ACM Transactions on Information and System Security (TISSEC) 8 2 (2005) 153-186
22. Yee KP, Sitaker K. Passpet: convenient password management and phishing protection. In: Proceedings of the second symposium on usable privacy and security; 2006. p. 32-43.