Mitigating man in the middle attack over secure sockets layer

摘要

Phishing is a social engineering mechanism to steal the user's credentials which are then used for identity theft leading to financial benefit. Currently majority of Phishing attacks are very unsophisticated as they focus on collecting just the credentials and do not try to validate in real time whether the received credentials are correct. It is obvious that next generation Phishing attacks will, in real time, try to check the credentials and also try to exploit the same. It is easy for a Phisher to behave as a man-in-the middle (MITM) between the user and the targeted site which is being phished. The problem with MITM attack is all the heuristics like monitoring domain name for special characters, using blacklists, page analysis etc , fail to restrict the Phisher. One of the significant literature available in this area i.e., PwdHash, which is successful for attacks when the user is on a URL other than genuine website. In this paper, we have proposed and implemented a novel approach to solve MITM over SSL which uses the genuine website URL. To tackle such attacks we propose hashing the user password with the public key of the server's digital certificate. This approach beats the MITM, since the MITM receives the hash of the original password which cannot be reused. We prove our concept with a browser plugin.