Attacks vs. Countermeasures of SSL Protected Trust Model

摘要

This paper analyzes the problems within current anti-spoofing mechanisms and proposes a new SSL protected trust model. Then, this paper describes the attacks on SSL protected trust model. This paper also proposes the new Automatic Detecting Security Indicator (ADSI) scheme to defend against spoofing attacks on SSL protected Web servers. This paper describes the ADSI-based trust model. In a secure transaction, ADSI may randomly generate a picture and embed it into the current Web browser. This can be triggered by any security relevant events occurred on the browser, and then performs automatic checking on current active security status. When a mismatch of embedded images is detected, an alarm goes off to alert the users. Since an adversary is hard to replace or mimic the randomly generated picture, the Web-spoofing attack can not be mounted easily. In comparison with existing proposals, the proposed scheme has the following advantages: (1) weak security assumption and very low burden on the customer by automating the process of detection and recognition of the Web-spoofing for SSL-enabled communications, (2) little intrusive on the browser, and (3) easy implementation in trusted PC at Internet Cafe requiring neither Logo Certification Authority, nor the scheme of personalization.