In the seminal work on web spoofing, Felten et al showed how a malicious server could forge some of these cues—but using approaches that are no longer reproducible. However, subsequent evolution of Web tools has not only patched security holes—it has also added new
technology to make pages more interactive and vivid. In this paper, we explore the feasibility of
web spoofing using this new technology—and we show how, in many cases, every one of the
above cues can be forged.
Nearly every aspect of social, government, and commercial activity is moving into electronic
settings. TheWorldWideWeb is the de facto standard medium for these services. Inherent
properties of the physical world make it sufficiently difficult to forge a convincing storefront or
ATM that successful attacks create long-cited anecdotes . As a consequence, users of physical
services—stores, banks, newspapers—have developed a reasonably effective intuition of when to trust that a particular service offering is exactly what it appears to be. However, moving from
“bricks and mortar” to electronic introduces a fundamental new problem: bits are malleable.
Does this intuition still suffice for the new electronic world? When one clicks on a link that says“Click Here to go to TrustedStore.Com,” how does one know that’s where one has been taken?
Answering these questions require examining how users make judgments about whether
to trust a particular Web page for a particular service. Indeed, the issue of user trust judgment is largely overlooked; research addressing how to secure Web servers, how to secure the client-server connection, and how to secure client-side management risk being rendered moot, if the final transmission of trust information the human user is neglected.
Download : Full Report (.pdf)
No comments:
Post a Comment