Trusted paths for browsers

Abstract

Computer security protocols usually terminate in a computer; however, the human-based services which they support usually terminate in a human. The gap between the human and the computer creates potential for security problems. We examine this gap, as it is manifested in secure Web servers. Felten et al. demonstrated the potential, in 1996, for malicious servers to impersonate honest servers. In this paper, we show how malicious servers can still do this---and can also forge the existence of an SSL session and the contents of the alleged server certificate. We then consider how to systematically <i>defend</i> against Web spoofing, by creating a <i>trusted path</i> from the browser to the human user. We present potential designs, propose a new one, prototype it in open-source Mozilla, and demonstrate its effectiveness via user studies.

DOI: 10.1145/1065545.1065546

Extracted Key Phrases

5 Figures and Tables

0102030'03'05'07'09'11'13'15'17
Citations per Year

214 Citations

Semantic Scholar estimates that this publication has 214 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@inproceedings{Ye2002TrustedPF, title={Trusted paths for browsers}, author={Zishuang Ye and Sean W. Smith and Denise L. Anthony}, booktitle={ACM Trans. Inf. Syst. Secur.}, year={2002} }