Minimizing SSO effort in verifying SSL anti-phishing indicators

Abstract

In an on-line transaction, a user sends her personal sensitive data (e.g., password) to a server for authentication. This process is known as SingleSign-On (SSO). Subject to phishing and pharming attacks, the sensitive datamay be disclosed to an adversary when the user is allured to visit a bogusserver. There has been much research in anti-phishing methods and mostof them are based on enhancing the security of browser indicator. In thispaper, we present a completely di.erent approach of defeating phishing andpharming attacks. Our method is based on encrypted cookie. It tags the sensitive data with the server's public key and stores it as a cookie on the user's machine. When the user visits the server so as to perform an onlinene transaction, the sensitive data in the cookie will be encrypted with the stored public key of the server. The ciphertext can only be decrypted by thegenuine server. Our encrypted cookie scheme (ECS) has the advantage thatthe user can ignore SSL indicator in the transaction process. The security isguaranteed even if the user accepts a malicious self-signed certi.cate. Thisadvantage greatly releases user's burden of checking SSL indicator, whichcould be very di.cult even for an experienced user when the phishing attacks have sophisticated vision design. © 2008 Springer Science+Business Media, LLC.