Abstract
This paper proposes a browser spoofing attack which can break the weakest link from the server to user, i.e., man-computer-interface, and hence defeat the whole security system of Internet transaction. In this attack, when a client is misled to an attacker’s site, or an attacker hijacks a connection, a set of malicious HTML files are downloaded to the client’s machine. The files are used to create a spoofed browser including a faked window with malicious event processing methods. The bogus window, having the same appearance as the original one, shows the “good” web content with “bad” activities behind such as disclosing password stealthily. Once the attack is mounted, even a scrupulous user will trust the browser that is fully controlled by the attacker. We further propose several countermeasures against the attack.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Yee, K.P.: User Interface Design for Secure System. In: Deng, R.H., et al. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 278–290. Springer, Heidelberg (2002)
Freier, A., Kariton, P., Kocher, P.: The SSL Protocol: Version 3.0.Netscape communications, Inc. (1996)
Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web spoofing: An Internet Con Game. In: 20th National Information Systems Security Conference (1997), http://www.cs.princeton.edu/sip/pub/spoofing.html
Lefranc, S., Naccache, D.: Cut-&-Paste Attacks with Java. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 1–15. Springer, Heidelberg (2003)
Horton, J., Seberry, J.: Covert Distributed Computing Using Java Through Web Spoofing. ACISP, 48–57 (1998), http://www.uow.edu.au/jennie/WEB/JavaDistComp.ps
De Paoli, F., DosSantos, A.L., Kemmerer, R.A.: Vulnerability of “Secure” Web Browsers. In: Proceedings of the National Information Systems Security Conference (1997)
Pftizmann, A., Pfitzmann, B., Schunter, M., Waidner, M.: Trusting Mobile User Devices and Security Modules. IEEE Computer 30/2, 61–68 (1997)
Darnell, R., et al.: Dynamic HTML (1998) ISBN 0-57521-353-2
Torok, G., Payne, J., Weifeld, M.: Javascript Primer Plus (1996) ISBN 1-57169-041-7
Yuan, Y., Ye, E.Z., Smith, S.: Web Spoofing (2001), http://www.cs.dartmouth.edu/reports/abstracts/TR2001-409/
Ye, E.Z., Smith, S.: Trusted Paths for Browsers. In: 11th USENIX Security Symposium (2002)
Burnside, M., Gassend, B., Kotwal, T., Burnside, M., van Dijk, M., Devadas, S., Rivest, R.: The untrusted computer problem and camerabased authentication. In: 1st International Conference on Pervasive Computing, LNCS, vol. 2414, pp. 114–124 (2002)
Tuyls, P., Kevenaar, T., Schrijen, G.-J., Staring, T., van Dijk, M.: Visual Crypto Displays enabling Secure Communications. In: Proceeding of First International Conference on Security in Pervasive Computing, pp. 12–14 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, TY., Wu, Y. (2003). Trust on Web Browser: Attack vs. Defense. In: Zhou, J., Yung, M., Han, Y. (eds) Applied Cryptography and Network Security. ACNS 2003. Lecture Notes in Computer Science, vol 2846. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45203-4_19
Download citation
DOI: https://doi.org/10.1007/978-3-540-45203-4_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20208-0
Online ISBN: 978-3-540-45203-4
eBook Packages: Springer Book Archive