Check out the new USENIX Web site. next up previous
Next: On Shopping Incognito Up: Session VIII: Security Previous: Organizing Electronic Services into

WWW Electronic Commerce and Java Trojan Horses

J. D. Tygar and Alma Whitten, Carnegie Mellon University

Alma brought up ways in which WWW commerce can be attacked that are based on the way people browse the web and weaknesses in the security model. The attacks presented do not rely on implementation faults, but rather are weaknesses in the way the system is designed. The two attacks presented are bogus remote pages and local Trojan horses.

The bogus remote page attack relies on the lack of verification of who operates a particular page or electronic storefront. Users do not usually check address names, and domain names are available that could be used to plausibly impersonate a real site. Given the ease of copying electronic information, an attacker simply creates a site which looks like a trusted site. When the user's browser is pointed to the bogus page address, an applet which spoofs the trusted page takes control, and thus the bogus remote page enables the local Trojan horse attack.

Once the attacker applet has control, it can spoof secure dialog boxes and act like the spoofed site while obtaining potentially sensitive information (such as a password or credit card number) through the user's entries. This information can be sent back to the attacker's site by hiding it in the page access requests. After this is done the applet passes control to the real site, and the attack goes unnoticed.

Code signing is not a sufficient fix for this problem, since it requires a trust basis and it will still be desirable to run unsigned applications, since code verification is expensive. A solution is window personalization. Make the trusted aspects (such as the background of the dialog boxes) 1: distinctive and easy to recognize for the user and 2: difficult for a prospective attacker to predict. To make this method work, Alma suggests the following: require selection at installation, educate users, offer many choices with randomized defaults, and avoid company logos or other predictable designs. There are extensions of this approach to ATM and POS applications.

Alma was asked why location couldn't be used to indicate genuine dialog boxes, and responded that pages may occupy the entire display. Bob Gezelter mentioned the importance of good randomization, and Alma agreed. Alma was asked why the local Trojan horse was necessary. She replied that the local Trojan horse attack is more general than just the bogus remote page. Ben Fried suggested that code signing with trust determined by the vendors would alleviate the problem. Alma said that even if trust assumptions were given, code signing is inherently subject to potential flaws.

next up previous
Next: On Shopping Incognito Up: Session VIII: Security Previous: Organizing Electronic Services into
Alma Whitten