TL;DR
The paper proposes a novel browser-based authentication method using a shared secret image and certificate details to prevent phishing, replacing traditional TLS indicators like the padlock.
Contribution
It introduces a new phishing prevention approach leveraging shared secrets and certificate display, enhancing user verification beyond standard TLS indicators.
Findings
Shared secret images cannot be counterfeited by phishing sites.
The method uses existing cryptography principles for user authentication.
It offers an alternative to visual TLS cues like the padlock.
Abstract
The current implementation of TLS involves your browser displaying a padlock, and a green bar, after successfully verifying the digital signature on the TLS certificate. Proposed is a solution where your browser's response to successful verification of a TLS certificate is to display a login window. That login window displays the identity credentials from the TLS certificate, to allow the user to authenticate Bob. It also displays a 'user-browser' shared secret i.e. a specific picture from your hard disk. This is not SiteKey, the image is shared between the computer user and their browser. It is never transmitted over the internet. Since sandboxed websites cannot access your hard disk this image cannot be counterfeited by phishing websites. Basically if you view the installed software component of your browser as an actor in the cryptography protocol, then the solution to phishing…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.