the cups blog

07-25-08

Analyzing Websites for User-Visible Security Design Flaws

Study

-chose not to examine bugs or browser flaws

-Analyzed a combination of 214 websites(mostly banks)

Demo:

-Login on insecure pages

-Contact information on insecure pages

Should this be a concern?

-exploits would not be straightforward, but attackers are becoming more organized

Use of Third-Party Sites

-break in chain of trust

Demo:

-transition to third party site

Policies on User Ids and Passwords

-inadequate or unclear policies for user ids and passwords

Ambiguity in Policies

-emailing security sensitive information

Results

-significant number of sites have login design flaws (47%)

Limitations of Study

-may have failed to completely retrieve all relevant pages

-Only looked financial intitutions in US

-used heuristics for automated analysis

Usability Lessons for WebSites

-stay on the same host name

-if not keep on same domain

-else make “proper introduction”

-use SSL throughout the site