Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John - - PowerPoint PPT Presentation
Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University / Google 1 About this presentation Date: 19 April 2012 Conference: WWW 2012 Feel free to contact me URL: http://ly.tl/p23 if you have any question
Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University / Google
1
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Date: 19 April 2012 Conference: WWW 2012 URL: http://ly.tl/p23
if you have any question Feel free to contact me
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Afraid of the Dark ?
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Afraid of the Dark ?
Elie Bursztein http://elie.im Session Juggler WWW 2012
Elie Bursztein http://elie.im Session Juggler WWW 2012
Elie Bursztein http://elie.im Session Juggler WWW 2012
% of site using HTTPS 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Number of sites (logarithmic) 102 103 104 105 % of sites using HTTPS to log users
Elie Bursztein http://elie.im Session Juggler WWW 2012
Elie Bursztein http://elie.im Session Juggler WWW 2012
[5] [24] [29] [21] [12] [28] [31] year 1999 2004 2006 2007 2008 2008 2009 Trusted device Palm Pilot PDA Phone Phone Phone Phone Phone Requires server-side changes X X X X X Requires client-side changes X X X X X X X Connection type USB USB Net USB/BT USB Net NFC Hardware needed TPM TPM/NFC
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Elie Bursztein http://elie.im Session Juggler WWW 2012
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Elie Bursztein http://elie.im Session Juggler WWW 2012
www.facebook.com
Elie Bursztein http://elie.im Session Juggler WWW 2012
Phone Blackboard Unsecure terminal Target website
Out of band exchange HTTP(S) traffic Encrypted data
Elie Bursztein http://elie.im Session Juggler WWW 2012
Phone Blackboard Unsecure terminal Target website
Out of band exchange HTTP(S) traffic Encrypted data
Elie Bursztein http://elie.im Session Juggler WWW 2012
Phone Blackboard Unsecure terminal Target website
Out of band exchange HTTP(S) traffic Encrypted data
Elie Bursztein http://elie.im Session Juggler WWW 2012
Phone Blackboard Unsecure terminal Target website
Out of band exchange HTTP(S) traffic Encrypted data
Elie Bursztein http://elie.im Session Juggler WWW 2012
Phone Blackboard Unsecure terminal Target website
Out of band exchange HTTP(S) traffic Encrypted data
Elie Bursztein http://elie.im Session Juggler WWW 2012
Defense % of Alexa100 Login over HTTPS 83% Using secure cookies 52% Seperating mobile and desktop sessions 6% Binding session to IP address 8% Checking local time 1% Binding session to user-agent header 0% Binding session to local language 0% Logout over HTTPS 1%
Elie Bursztein http://elie.im Session Juggler WWW 2012
Elie Bursztein http://elie.im Session Juggler WWW 2012
Elie Bursztein http://elie.im Session Juggler WWW 2012
Questions ? Follow-me ! Thank you ! Google+ / Twitter: @elie More research: http://elie.im/
Elie Bursztein http://elie.im Session Juggler WWW 2012
1) key 5) Login 3) {Request} Resume session 7) {Session data} 2) {Request} 6) {Session data} 4) Get password