SSLock: Sustaining the Trust on Entities Brought by SSL

摘要

We propose a new, simple and effective domain segmentation approach to sustain SSL protection which is usually compromised when users are expected to perform legitimacy judgment. It has been established that using security warnings and indicators is a serious operational flaw of SSL. As a securitycritical system, SSL should never rely on users' judgment as the ultimate defense because adversaries that exploit users' ignorance and illiteracy are sufficient to break the most secure system. The proposal simply requires a service provider to opt-in by hosting its service in a special subdomain "secure". The enhanced protection will then be automatically in force. In this paper, we consider three severe and characteristic attack models, namely dynamic pharming, deceptive , captive portal and SSLStrip attacks, and we show that there is no single defeating solution except SSLock. We have conducted deployability analysis which further justifies the proposal in terms of its high compatibility rate. SSLock is the only approach that is generic and light-weight for application vendors, opt-in and zero initialization for service providers, and privacypreserving and idiot-proof for generic users.