1st TIPPI Workshop

Trustworthy Interfaces for Passwords and Personal Information

Speaker: Amir Herzberg, Bar Ilan Univesity.

Title: Fixing the Web Trust Model

Fraud is increasing on the Web at alarming rates. We trace the problem to difficulties with the current web trust model, and suggest improvements in user interface and simple cryptographic protocols. One difficulty is that only a minority of the web sites use SSL/TLS protection, which is essential to provide security (against `Man In The Middle` adversaries). In fact, even sensitive sites and login forms are often not SSL protected. Even if a site is protected, it may use a CA which is untrustworthy. We suggest UI improvements to fix these problems, and ensure awareness of protection status and the use of trustworthy identification (CA).

Another problem is that identification is currently based on the URL, and users are not cognizant of the structure of URLs and domain names, and do not notice a mismatch between the URL and the identity as claimed in the site. This problem exists for both SSL and non-SSL sites. We suggest the inclusion of a `site identification` field which will identify the site by logo or name, selected by the user (`petname`) or by a trusted authority (e.g. CA).

We also discuss some non-SSL solutions, to provide security in situations where SSL is not applicable (e.g. due to overhead). Finally, we explain how browsers can securely present credentials, ratings and `seals` of the sites, e.g. for security, privacy, quality, and other attributes of site and of particular page.

An open-source implementation of our ideas is available in http://TrustBar.MozDev.org.

Prof. Amir Herzberg received B.Sc. (Computer Engineering), M.Sc. (Electrical Engineering) and D.Sc. (Computer Science), from the Technion, Israel, at 1982, 1987 and 1991, respectively. Since 1982, he worked in software and systems R&D, mostly in security and networking, in several organizations and companies. During 1991-2000, Prof. Herzberg filled research and management positions in IBM Research (New York and Israel). Later, he was a CTO at a startup, and since 2002, an associate professor in the Computer Science department of Bar Ilan University. His current research is mainly in applied cryptography, secure communication and secure e-commerce. Prof. Herzberg provides consulting and education services to R&D companies and to the banking, communications and government sectors. Many of his lectures and publications are at http://AmirHerzberg.com.

Back to TIPPI workshop page