Analyzing websites for user-visible security design flaws

Symposium On Usable Privacy and Security Pub Date : 2008-07-23 DOI:10.1145/1408664.1408680

L. Falk, A. Prakash, Kevin Borders

{"title":"Analyzing websites for user-visible security design flaws","authors":"L. Falk, A. Prakash, Kevin Borders","doi":"10.1145/1408664.1408680","DOIUrl":null,"url":null,"abstract":"An increasing number of people rely on secure websites to carry out their daily business. A survey conducted by Pew Internet states 42% of all internet users bank online. Considering the types of secure transactions being conducted, businesses are rigorously testing their sites for security flaws. In spite of this testing, some design flaws still remain that prevent secure usage. In this paper, we examine the prevalence of user-visible security design flaws by looking at sites from 214 U.S. financial institutions. We specifically chose financial websites because of their high security requirements. We found a number of flaws that may lead users to make bad security decisions, even if they are knowledgeable about security and exhibit proper browser use consistent with the site's security policies. To our surprise, these design flaws were widespread. We found that 76% of the sites in our survey suffered from at least one design flaw. This indicates that these flaws are not widely understood, even by experts who are responsible for web security. Finally, we present our methodology for testing websites and discuss how it can help systematically discover user-visible security design flaws.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"16 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"47","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Symposium On Usable Privacy and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1408664.1408680","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 47

Abstract

An increasing number of people rely on secure websites to carry out their daily business. A survey conducted by Pew Internet states 42% of all internet users bank online. Considering the types of secure transactions being conducted, businesses are rigorously testing their sites for security flaws. In spite of this testing, some design flaws still remain that prevent secure usage. In this paper, we examine the prevalence of user-visible security design flaws by looking at sites from 214 U.S. financial institutions. We specifically chose financial websites because of their high security requirements. We found a number of flaws that may lead users to make bad security decisions, even if they are knowledgeable about security and exhibit proper browser use consistent with the site's security policies. To our surprise, these design flaws were widespread. We found that 76% of the sites in our survey suffered from at least one design flaw. This indicates that these flaws are not widely understood, even by experts who are responsible for web security. Finally, we present our methodology for testing websites and discuss how it can help systematically discover user-visible security design flaws.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

分析网站用户可见的安全设计缺陷

越来越多的人依靠安全的网站来开展日常业务。皮尤互联网公司进行的一项调查显示，42%的互联网用户在网上银行。考虑到正在进行的安全交易的类型，企业正在严格测试其站点的安全漏洞。尽管进行了这些测试，一些设计缺陷仍然存在，妨碍了安全使用。在本文中，我们通过查看214家美国金融机构的网站来检查用户可见的安全设计缺陷的普遍性。我们特别选择了金融类网站，因为它们的安全性要求很高。我们发现了许多可能导致用户做出错误安全决策的缺陷，即使他们了解安全知识并按照站点的安全策略正确使用浏览器。令我们惊讶的是，这些设计缺陷普遍存在。我们发现，在我们的调查中，76%的网站至少存在一个设计缺陷。这表明这些漏洞并没有被广泛理解，即使是负责网络安全的专家。最后，我们提出了测试网站的方法，并讨论了它如何帮助系统地发现用户可见的安全设计缺陷。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Symposium On Usable Privacy and Security

自引率

0.00%

发文量