This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Web application security in un-trusted client scenarios

Share this article:

Web applications are commonly used for authorizing payments and financial transactions. As an example, home banking services allow users to transfer funds as well as authorizing payments of almost any kind.

Current solutions for user authentication and channel cryptography ensure a good degree of security when: 1. the network is un-trusted, 2. the server is trusted, 3. the user's client computer is trusted. Unfortunately, it may happen that the last assumption is not reasonable.

A malicious user who has a complete control over the user's client computer (due to some kind of malware installed on the victim's client) could use the legitimate user's credentials for authorizing an illegitimate operation. Bruce Schneier's article (“The Failure of Two-Factor Authentication”, March 2005, perfectly describes this threat as well as the reasons why two-factor authentication, by itself, cannot mitigate the problem.

Mario Finetti's paper outlines how current solutions can be used in order to make the entire process secure even in those scenarios where user's client is un-trusted.

 As an example, let us suppose to provide our users with a USB token equipped with a LCD display and a “OK” button. The user can log into the Web application through a standard SSL/TLS handshake with client authentication. Before performing found transfers of any kind, the application is required to generate a simple message containing a summary of the operation being authorized. The message is transferred to the USB token that will show it on the LCD display. The user is then asked to check the message and press the “OK” button on the USB token if he agrees to authorize that operation. If the user confirms the operation, the USB token electronically signs the message and gives it back to the Web application. As soon as the USB token is a trusted environment, the entire process is secure, even if user's client computer is not trusted. Find out more by downlaoding the full article at the link above.

Share this article:

Next Article in Features


More in Features

ICYMI: 'Banksy' sketches GCHQ, Heartbleed rumours & cloud confusion

ICYMI: 'Banksy' sketches GCHQ, Heartbleed rumours & cloud ...

As another week in information security zips by, we look at the top stories in our weekly In Case You Missed It (ICYMI) column.

More jobs but cyber security skills gap widens

More jobs but cyber security skills gap widens

There's an increasing demand for cyber security specialists in information security, but the challenge remains bringing the right graduates into the fold.

Big Data: A big deal?

Big Data: A big deal?

IT decision makers are leveraging Big Data security analytics tools to serve up more information on threats, reports Doug Drinkwater.