Protecting web users from phishing , spoofing and malware

We describe the current state of web security, and identify the main problems. We then present proposals for improvements, including: secure site identification widget; secure and convenient`single click logon`; improved validation certificates; and using public-key signatures and automated resolutions and penalties, to defend against malicious content including malware. The web and its users are suffering from a growing amount and different forms of malicious, criminal abuses, despite the deployment of sophisticated cryptographic protocols (SSL/TLS). We believe that modest improvements to browser security indicators and mechanisms, can prevent many of these abuses, including many of the phishing, spoofing, malware and cross-site scripting attacks. These proposals focus on secure usability aspects, and should make browsing easier rather than more cumbersome; and the performance requirements are modest. Our discussion is largely based on experience and conclusions from developing TrustBar [HG04], an improved security indicator extension to the FireFox browser, including feedback received from users, surveys and empirical data collected. The importance of security to web users and services is obvious, and indeed essentially all browsers and almost all web servers support advanced, public-key cryptographic protocols, mainly the Secure Socket Layer (SSL) protocol (or its standard version, the Transaction Layer Security (TLS) standard); for details see e.g. [R00]. The main goal of SSL it to protect sensitive traffic, such as credit card numbers and passwords, sent by a consumer to web servers (e.g. merchant sites and e-banking logon pages). Simplified description of SSL as used in most sites. SSL operation is divided into two phases: a handshake phase and a data transfer phase. We illustrate this in Figure 2, for connection between a client and an imaginary bank site During the handshake phase, the browser confirms that the server has a domain name public key certificate. Such a certificate is a statement signed (digitally) by a trusted entity, called a Certificate Authority (CA), specifying a public key PKserver and authorizing it to use the domain name www.bank.com contained in the specified web