CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Measuring login webpage security

Steven Van Acker (Institutionen för Data- och informationsteknik, Informationssäkerhet (Chalmers)) ; Daniel Hausknecht (Institutionen för Data- och informationsteknik, Informationssäkerhet (Chalmers)) ; Andrei Sabelfeld (Institutionen för Data- och informationsteknik, Informationssäkerhet (Chalmers))
Proceedings of the ACM Symposium on Applied Computing Vol. Part F128005 (2017), p. 1753-1760.
[Konferensbidrag, refereegranskat]

Copyright 2017 ACM. Login webpages are the entry points into sensitive parts of web applications, dividing between public access to a website and private, user-specific, access to the website resources. As such, these entry points must be guarded with great care. A vast majority of today's websites relies on text-based username/password pairs for user authentication. While much prior research has focused on the strengths and weaknesses of textual passwords, this paper puts a spotlight on the security of the login webpages themselves. We conduct an empirical study of the Alexa top 100,000 pages to identify login pages and scrutinize their security. Our findings show several widely spread vulnerabilities, such as possibilities for password leaks to third parties and password eavesdropping on the network. They also show that only a scarce number of login pages deploy advanced security measures. Our findings on open-source web frameworks and content management systems confirm the lack of support against the login attacker. To ameliorate the problematic state of the art, we discuss measures to improve the security of login pages.

Nyckelord: Attacker models, Large-scale study, Login page, Web security



Denna post skapades 2017-07-18.
CPL Pubid: 250739

 

Läs direkt!


Länk till annan sajt (kan kräva inloggning)