Web Authentication based on a Community of Trust and on a
User-centred Approach
By Karima Boudaoud and Nicolas Nobelis (I3S-CNRS Laboratory /
University
of Nice Sophia Antipolis)
Introduction
With the increasing growth of e-commerce and its importance to
the global
economy, the security of e-commerce systems and particularly of Web
sites
becoming more and more important. Many mechanisms have been proposed to
ensure confidentiality and integrity of transactions. But even if some
of
these solutions have been deployed, security of e-commerce Web sites is
still
fragile. E-commerce Web sites are still vulnerable to many kind of
attacks
and those attacks are evolving continously. For example several
high-profile
Web sites such as Yahoo, Amazon, Ebay and financial institutions have
been
subject of spectacular attacks such as Denial of service and Phishing
attacks
that have caused important damages and the loss of a lot of money.
The aim of this paper is to propose a user-centered approach
to improve
security against the new generation of Web spoofing attacks.
Strategies against Web-spoofing attacks.
To manage Web spoofing attacks, several security solutions,
based on
proactive and reactive approaches, are proposed.
- Proactive approaches:
- Security toolbars implemented bybrowser vendors.
However,
- user may distrust the toolbar's decision process
- user may not pay attention to security warnings
when browsing
- Pop-up security warnings. However,
- too many warnings exasperate the user
- too general warnings don't help theuser in
thedecision process
- Web page personalization. However,
- image-based solutions are not applicable for people
with visual disabilities [CAPTCHA]
- Reactive approaches:
- Intrusion detection and prevention systems deployed at
server-side
- to detect suspicious behaviors such as multiple
accesses to a Web site during a short period of time, logos and Web
pages downloading,...
- ISPs intervention to block and close phishing Web sites.
In order to be more efficient against Web spoofing attacks,
the best
strategy is to think about a collaborative approach between solutions
deployed at server-side, client-side, particularly browsers, and ISPs.
Better trust relationships between users, browsers and Web
sites
The success of recent phishing attacks has revealed the
weakness of
authentication mechanims used by e-commerce Web sites. In fact, if we
take
the example of phishing attacks that have been launched against
financial
institutions, their success is due to the fact that users believed in
email
they receive and in the Web Sites to which they connected. Thus, the
first
defense strategy against these kind of attacks is to help users to be
sure of
the identity of the Web site to which they connect.
Certificate-based authentication solutions seem a strong
solution to
ensure a trusted relationship between Web Sites and Users. However:
- Some Web sites use certificates that are not recognised by
browsers
- Free certificates delivered by some certification
authorities (example CAcert)
- Certificates recognised by browsers are not free
- Self-signed certificates are free but not recognised by
browsers
One possible naive solution could be proposed for W3C to:
- establish a list of trusted certification authorities that
deliver free certificates,
- push browsers vendors to recognise this list
However, this solution seems unlikely to be accepted by big
certification
authorities such as Verisign.
Thus, the questions are
- How to improve the identification of safe Web sites ?
- How to help browers to recognise suspicious Web sites ?
- Does it make sense to integrate the user in the recognition
process ?
Actually, nowadays, browsers are able to help users in
identification of
suspicious web sites, based mainly on Web sites certificates. However,
this
is not sufficient. What is required is a solution that ensures explicit
collaboration between browsers and users in the validation process of
Web
sites. Therefore, in our opinion, we need to go through more
user-centred
approaches that make a balance between user believes, browsers trust
metrics
and security constraints.
If we consider that browsers use a kind of trust engine that
uses trust
metrics and blacklists to validate Web sites, it will be important to
integrate the user in the decision process by offering the opportunity
to
establish:
- The user's own whitelist, for trusted sites, and/or
blacklists for untrusted sites
- personal trust metrics
- certificates and/or the certification authorities the users
recognise
- ...
So, a possible solution will be to offer the user an
infrastructure that
permits him to indicate the Web sites which he trusts.
Let us consider :
- a user who wants to connect to a Web site
- a whitelist of trusted Web sites managed by this user,
noted UserTrustedList, where each Web site is associated to its public
key.
When the user tries to connect to a Web Site the trust engine will use,
in
addition to its own trust metrics, this UserTrustedList to validate the
Site:
- If the Web site is in theUserTrustedList, the browser will
let the user to connect to the requested site.
- If it is not, it will ask the Web site to send a list of
Web sites that trust him, called SiteTrustMeList. Then the trust engine
will search if one of the Web site contained in the SiteTrustMeList
exists in the UserTrustedList.
- If it is the case, it will ask the new Web site to
return the public key of the initial Web site. This key will then be
added to the UserTrustedList and the user will be connected.
- If no Web Site exists in the UserTrustedList, the
browser will check its blacklist. If no suspicious site is identified
in the SiteTrustMeList, the browser will ask anyone in the list (for
example the first one) to give the public key of the initial Web site
and its own SiteTrustMeList.
- The process will be repeated until a Web site is found
in the UserTrustedList or in a blacklist.
Even if this approach is at its first stage, it seems to us very
promising to
improve the trust relationship between users and Web sites.
Recommendations for an efficient defense strategy against Web
spoofing
attacks
In our opinion, to efficiently manage security of the Web
against Web
spoofing attacks, we must :
- Look at Web security problems from a global point of view
and not in isolation, which means from:
- a user point of view (i.e.User or Client-side)
- a service provider point of view (i.e. Server-side)
- a network point of view (i.e at Network-level)
- Take into account both technological and social engineering
aspects.
- Design evolutionary and flexible security solutions to
follow the evolution of the Web threat model
- Design solutions at client-side that:
- are acceptable to users
- for example, can we propose solutions that oblige
users to have a certificate or a public/private key..
- can be easily implemented (particularly in browsers)
- can be easily used
- Design more collaborative security solutions based on:
- collaboration between users, browser tools and service
providers
- a community of trust