Abstract
The conventional wisdom has always been that users should refrain from entering their sensitive data (such as usernames, passwords, and credit card numbers) into http(or white) pages, but they can enter these data into https (or yellow) pages. Unfortunately, this assumption is not valid as it became clear recently that, through human mistakes or Phishing or Pharming attacks, a displayed yellow page may not be the same one that the user has intended to request in the first place. In this paper, we propose to add a third class of secure web pages called brown pages. We show that brown pages are more secure than yellow pages especially in face of human mistakes and Phishing and Pharming attacks. Thus users can enter their sensitive data into brown pages without worry. We present a login protocol, called the Transport Login Protocol or TLP for short. An https web page that is displayed on the browser is classified brown by the browser if and only if this web page has been called into the browser either through TLP or from within another brown page that had been called earlier into the browser through TLP.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ollmann, G.: The Pharming Guide, http://www.ngssoftware.com/papers/ThePharmingGuide.pdf
Dhamija, R., Tygar, J., Hearst, M.: Why Phishing Works. In: The Proceedings of the Conference on Human Factors in Computing Systems (CHI 2006) (2006)
Group, A.P.W.: Phising activity trends report, (September 2007), http://www.antiphishing.org/reports/apwg_report_sept_2007.pdf
McMillan, R.: Gartner: Consumers to lose $2.8 billion to phishers in 2006 (2006), http://www.networkworld.com/news/2006/110906-gartner-consumers-to-lose-28b.html
Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., Wright, T.: Transport Layer Security (TLS) Extensions. RFC 4366 (Proposed Standard) (April 2006)
Franco, R.: Website identification and extended validation certificates in IE7 and other browsers. IEBlog (November 2005)
PassMark Security, http://www.passmarksecurity.com
Bank of America, http://www.bankofamerica.com/privacy/sitekey/
Wu, T.: The Secure Remote Password Protocol. In: Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, pp. 97–111 (1998)
Wu, T.: SRP-6: Improvements and Refinements to the Secure Remote Password Protocol. Submission to the IEEE P1363 Working Group
Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.: A Convenient Method for Securely Managing Passwords. In: Financial Cryptography (Feburuary 1997)
Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure Applications of Low-Entropy Keys. In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396, pp. 121–134. Springer, Heidelberg (1998)
Halderman, J.A., Waters, B., Felten, E.W.: A Convenient Method for Securely Managing Passwords. In: 14th International World Wide Web Conference (May 2005)
Gouda, M.G., Liu, A.X., Leung, L.M., Alam, M.A.: SPP: An anti-phishing single password protocol. Comput. Netw. 51(13), 3715–3726 (2007)
Yee, K.P., Sitaker, K.: Passpet: convenient password management and phishing protection. In: SOUPS 2006: Proceedings of the second symposium on Usable privacy and security, pp. 32–43. ACM, New York (2006)
Choi, T., Son, S., Gouda, M.G.: Pharwell to Phishing: Secure Direction and Redirection over the Web. Technical Report TR-08-19, Austin, TX, USA (April 2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Choi, T., Son, S., Gouda, M.G., Cobb, J.A. (2008). Pharewell to Phishing. In: Kulkarni, S., Schiper, A. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2008. Lecture Notes in Computer Science, vol 5340. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89335-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-540-89335-6_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89334-9
Online ISBN: 978-3-540-89335-6
eBook Packages: Computer ScienceComputer Science (R0)