Web spoofing is a dangerous and nearly undetectable security attack that can be carried out on today’s Internet. Fortunately there are some protective measures you can take.
Short-term Solution
In the short run, the best defense is to follow a three-part strategy:
disable JavaScript in your browser so the attacker will be unable to hide the evidence of the attack;
make sure your browser’s location line is always visible;
pay attention to the URLs displayed on your browser’s location line, making sure they always point to the server you think you’re connected to.
This strategy will significantly lower the risk of attack, though you could still be victimized if you are not conscientious about watching the location line.
At present, JavaScript, ActiveX, and Java all tend to facilitate spoofing and other security attacks, so we recommend that you disable them. Doing so will cause you to lose some useful functionality, but you can recoup much of this loss by selectively turning on these features when you visit a trusted site that requires them.
Long-term Solution
We do not know of a fully satisfactory long-term solution to this problem.
Changing browsers so they always display the location line would help, although users would still have to be vigilant and know how to recognize rewritten URLs. This is an example of a “trusted path” technique, in the sense that the browser is able to display information for the user without possible interference by untrusted parties.
For pages that are not fetched via a secure connection, there is not much more that can be done.
For pages fetched via a secure connection, an improved secure-connection indicator could help. Rather than simply indicating a secure connection, browsers should clearly say who is at the other end of the connection. This information should be displayed in plain language, in a manner intelligible to novice users; it should say something like “Microsoft Inc.” rather than “www.microsoft.com.”
Every approach to this problem seems to rely on the vigilance of Web users. Whether we can realistically expect everyone to be vigilant all of the time is debatable.
Related Work
We did not invent the URL rewriting technique. Previously, URL rewriting has been used as a technique for providing useful services to people who have asked for them.
Existing services that use URL rewriting include The Anonymizer, written by Justin Boyan at Carnegie Mellon University, is a service that allows users to surf the Web without revealing their identities to the sites they visit. The Zippy filter, written by Henry Minsky, presents an amusing vision of the Web with Zippy-the-Pinhead sayings inserted at random.
Fred Cohen first described the use of URL rewriting as an attack technique. Though we did not invent URL rewriting, we believe we are the first to realize its full potential as one component of a security attack that includes the hiding of other clues about the origin of documents.
Acknowledgments
The URL-rewriting part of our demonstration program is based on Henry Minsky’s code for the Zippy filter. We are grateful to David Hopwood for useful discussions about spoofing attacks, and to Gary McGraw and Laura Felten for comments on drafts of this paper. Gary McGraw designed the figure.
For More Information
More information is available turkiya786@gmail.com or +919896382592 or +919728917585.
Jai Shree Raam
No comments:
Post a Comment