SSL-enabled trusted communication: Spoofing and protecting the non-cautious users

The anti-spoofing community has been intensively proposing new methods for defending against new web-spoofing techniques. In this paper, we analyze the problems within current anti-spoofing mechanisms, and propose a new SSL protected trust model. Then, we describe the attacks on SSL protected trusted communication. In this paper, we also propose the new Automatic Detecting Security Indicator scheme (ADSI) to defend against spoofing attacks on SSL protected web servers. In a secure transaction, ADSI will randomly choose a picture and embed it into the current web browser at a random place. This can be triggered by any security relevant event that has occurred on the browser, and then automatic checking will be performed on the current active security status. When a mismatch of embedded pictures is detected, an alarm goes off to alert the users. Since an adversary is hard to replace or mimic the randomly embedded picture, the web-spoofing attack can not be mounted easily. In comparison with existing schemes, (1) the proposed scheme has the weakest security assumption, and places a very low burden on the user by automating the process of detection and recognition of web-spoofing for SSL-enabled trusted communication; (2) it has little intrusiveness on the browser; and (3) it can be implemented in a trusted PC at an Internet Cafe. Copyright c © 2009 John Wiley & Sons, Ltd.