The devil is phishing: Rethinking web single sign-on systems security

6th USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET 2013

Volumn , Issue , 2013, Pages

  Yue, Chuan ^a  

^a UNIVERSITY OF COLORADO   (United States)

Author keywords

Password; Phishing; Security; User authentication; Web Single Sign On (SSO)

Indexed keywords

COMPUTER CRIME; ONLINE SYSTEMS;

PASSWORD; PHISHING; SECURITY; SINGLE SIGNON; USER AUTHENTICATION;

AUTHENTICATION;

EID: 85084095280     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (21)

1. ARMANDO, A., CARBONE, R., COMPAGNA, L., CUELLAR, J., AND TOBARRA, L. Formal analysis of saml 2.0 web browser single sign-on: breaking the saml-based single sign-on for google apps. In ACM FMSE (2008).
2. BANSAL, C., BHARGAVAN, K., AND MAFFEIS, S. Discovering concrete attacks on website authorization by formal analysis. In IEEE CSF (2012).
3. DOWNS, J. S., HOLBROOK, M. B., AND CRANOR, L. F. Decision strategies and susceptibility to phishing. In SOUPS (2006).
4. GARERA, S., PROVOS, N., CHEW, M., AND RUBIN, A. D. A framework for detection and measurement of phishing attacks. In WORM (2007).
5. JAKOBSSON, M., AND RATKIEWICZ, J. Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In WWW (2006).
6. LUDL, C., MCALLISTER, S., KIRDA, E., AND KRUEGEL, C. On the effectiveness of techniques to detect phishing sites. In DIMVA (2007).
7. MA, J., SAUL, L. K., SAVAGE, S., AND VOELKER, G. M. Beyond blacklists: learning to detect malicious web sites from suspicious urls. In SIGKDD (2009).
8. RACHNA DHAMIJA, J.D.TYGAR, AND MARTI HEARST. Why phishing works. In CHI (2006).
9. SUN, S.-T., AND BEZNOSOV, K. The devil is in the (implementation) details: an empirical analysis of oauth sso systems. In CCS (2012).
10. SUN, S.-T., POSPISIL, E., MUSLUKHOV, I., DINDAR, N., HAWKEY, K., AND BEZNOSOV, K. What makes users refuse web single sign-on?: an empirical investigation of openid. In SOUPS (2011).
11. WANG, R., CHEN, S., AND WANG, X. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In the IEEE Symposium on Security and Privacy (2012).
12. WHITTAKER, C., RYNER, B., AND NAZIF, M. Large-scale automatic classification of phishing pages. In NDSS (2010).
13. ZHANG, Y., HONG, J., AND CRANOR, L. CANTINA: A content-based approach to detecting phishing web sites. In WWW (2007).
14. OAuth 2.0 Threat Model and Security Considerations. http://tools.ietf.org/html/rfc6819.
15. OAuth Introduction. http://oauth.net/about/.
16. OpenID Authentication 2.0 - Final. http://openid.net/specs/openid-authentication-2_0.html.
17. OpenID Phishing Brainstorm. http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm.
18. OpenID: Phishing Heaven. http://www.links.org/?p=187.
19. Quantitative Studies: How Many Users to Test? http://www.nngroup.com/articles/ quantitative- studies- how- many- users/.
20. The OAuth 2.0 Authorization Framework. http://tools.ietf.org/html/rfc6749.
21. What is OpenID? http://openid.net/get-an-openid/what-is-openid/.