[attrition] rant: Brief analysis of "Analyzing Websites for User-Visible Security Design Flaws"

lyger lyger at attrition.org
Fri Jul 25 15:53:23 UTC 2008 

http://attrition.org/security/rant/prakash_et_al-01.html

Brief analysis of "Analyzing Websites for User-Visible Security Design Flaws"
Fri, 25 Jul 2008 15:05:25 +0000 (UTC)
Jericho (Security Curmudgeon)

After being provided a link to the original paper and reading additional 
comments, I wanted to follow-up to my original post [1] with more 
thoughts. If you want the slightly more technical review, search down to 
"methodology review". The paper in question is "Analyzing Websites for 
User-Visible Security Design Flaws" by Laura Falk, Atul Prakash and Kevin 
Borders [2]. I strongly encourage more security professionals to provide 
peer scrutiny to security research coming from universities.

As was pointed out, the research was done in 2006 (testing in Nov/Dec) but 
the results are just now being published. Three people working on a study 
on 214 web sites should not take that long to publish. To wait so long in 
publishing research on a topic like this, one must question if it is 
responsible, or more to the point, relevant. In the world of high end 
custom banking applications, my experience consulting for such companies 
tells me that many will do periodic audits from third parties and that 
these sites get continuous improvements and changes every week. One of the 
web sites I use for personal banking has changed dramatically in the last 
12 months, making huge changes to the functionality and presumably 
architecture, security and design. The results of a 2006 audit of that 
site are probably most irrelevant.

As with most research papers, the lack of publish date in the header is 
annoying. The abstract does not mention the 2006 to 2008 time gap between 
research and publication either. This time difference is seen almost 
immediately in the citation of Schechter et al, regarding people 
"disregarding SSL indicators". The current releases of several browsers, 
most notably IE7 and Firefox 3 make pretty big shifts in how the browser 
handles and warns about SSL indicators. Each browser is considerably more 
paranoid and will throw a warning over more discrepencies that each would 
have ignored in previous versions.

[1] http://attrition.org/pipermail/dataloss/2008-July/002565.html
[2] http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf

[...]

More information about the attrition mailing list