Scribd
Upload
21 views11 pages

Module 5.5: Security User Interface

This document discusses security issues related to user interfaces and mixed content loading. It notes that passwords should only be typed on pages loaded over HTTPS, and that loading non-HTTPS content on HTTPS pages allows network attackers to hijack sessions. Finally, it discusses limitations of security indicators like lock icons and the status bar which can be spoofed.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
21 views11 pages

Module 5.5: Security User Interface

This document discusses security issues related to user interfaces and mixed content loading. It notes that passwords should only be typed on pages loaded over HTTPS, and that loading non-HTTPS content on HTTPS pages allows network attackers to hijack sessions. Finally, it discusses limitations of security indicators like lock icons and the status bar which can be spoofed.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Module 5.

5: Security User
Interface
When is it safe to type my password?

SECURITY USER
INTERFACE
Safe to type your password?

3
Safe to type your password?

4
Safe to type your password?

5
Safe to type your password?
???

??? 6
Safe to type your password?

7
Mixed Content: HTTP and
HTTPS
Problem
Page loads over HTTPS, but has HTTP content
Network attacker can control page
IE: displays mixed-content dialog to user
Flash files over HTTP loaded with no warning (!)
Note: Flash can script the embedding page
Firefox: red slash over lock icon (no dialog)
Flash files over HTTP do not trigger the slash
Safari: does not detect mixed content
Mixed content and network attacks
banks: after login all content over HTTPS
Developer error: Somewhere on bank site
write<script src=http://www.site.com/script.js>
</script>
Active network attacker can now hijack any session
Better way to include content:
<script src=//www.site.com/script.js> </script>
served over the same protocol as embedding page
Lock Icon 2.0
Extended validation (EV) certs

Prominent security indicator for EV certificates

note: EV site loading content from non-EV site does


Finally: the status Bar

Trivially spoofable
<a href=http://www.paypal.com/
onclick=this.href = http://www.evil.com/;>
PayPal</a>

You might also like