A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

Ian G iang at systemics.com
Wed Feb 9 14:22:05 EST 2005 

Adam Shostack wrote:

>Have you run end-user testing to demonstrate the user-acceptability of
>Trustbar?
>  
>

Yes, this was asked over on the cap-talk list.
Below is what I posted there.  I'm somewhat
sympathetic as doing a real field trial which
involves testing real responses to a browser
attack raises all sorts of heisenberg uncertainty /
experimental method issues.  Off the top of
my head, I think this is a really tricky problem,
and if anyone knows how to test security
breaches on ordinary users, shout!


Ka-Ping Yee wrote:

>> 1. TrustBar: Protecting (even Naive) Web Users from Spoofing and
>> Phishing Attacks, Amir Herzberg and Ahmad Gbara
>> http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm
>>   
>
>
> I've read that paper.  What they did is not a user study at all;
> it was merely a questionnaire.  It's certainly better than nothing,
> but it is not a user study.  For the results to be applicable, the
> tests should take place while users are actually interacting with
> a browser normally.
>  
>

I agree it wasn't much.  But it was a bit more than
just a multiple choice:


  "The second goal of the third question was to evaluate whether the use 
of TrustBar is likely to improve the ability of users to discern between 
unprotected sites, protected sites and spoofed (fake) sites. For this 
purpose, we gave users a very brief explanation on the TrustBar security 
indicators, and then presented three additional screen shots, this time 
using a browser equipped with TrustBar. Again, the screen shots are 
presented in Appendix B, and each was presented for 10 to 15 seconds, 
taken using Mozilla in the Amazon web site. We leave it as a simple 
exercise to the reader to identify the protected, unprotected and 
spoofed (fake) among these three screen shots.

  "The results provide positive indication supporting out belief that 
the use of TrustBar improves the ability of (naïve) web users to discern 
between protected, unprotected and fake sites. Specifically, the number 
of user that correctly identified each of the three sites essentially 
doubled (to 21, 22 and 29).

That would rate as a simulation rather than
a field trial, I guess.


-- 
iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list