Concepts against Man-in-the-Browser Attacks Philipp Gühring http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf 15 pp. January 2007 Abstract: A new threat is emerging that attacks browsers by means of trojan horses. The new breed of new trojan horses can modify the transactions on-the-fly, as they are formed in in browsers, and still display the user's intended transaction to her. Structurally they are a man-in-the-middle attack between the the user and the security mechanisms of the browser. Distinct from Phishing attacks which rely upon similar but fraudulent websites, these new attacks cannot be detected by the user at all, as they are using real services, the user is correctly logged-in as normal, and there is no difference to be seen. The WYSIWYG concept of the browser is successfully broken. No advanced authentication method (PIN, TAN, iTAN, Client certificates, Secure-ID, SmartCards, Class3 Readers, OTP, ...) can defend against these attacks, because the attacks are working on the transaction level, not on the authentication level. PKI and other security measures are simply bypassed, and are therefore rendered obsolete. -- Guhring's article is a web-published document that is difficult to cite accurately, despite the publicity it received in FC++3 and elsewhere. A date stamp at top of its first page says "2007-01-24". An internal datestamp (probably the one that results in the first-page header) defines the PDF variable CreationDate with the intial value "D:20070124164140+01'00'". A PDF comment contains the string "Created 25.Jan.2007 3:41:40 a.m." This seems likely to be consistent with the date-stamp and CreationDate, but is in some other timezone. The title area of the document bears two other date-stamps: Date: 2006-06-16 Update: 2006-09-12 It is not clear what (if anything) in this article was changed between September 2006 and January 2007. This article was announced in FC++3 - Advances in Financial Cryptography, Number Three. It is not "published" by FC++3, because the only thing published by FC++3 is a URL to the author's webarea. An updated article is provided by the author at the URL that was announced in FC++3. It seems likely that the Wayback Machine's webcrawler (http://www.archive.org/index.php) has retained a copy of the June 2006 and September 2006 versions. It should also be possible to establish the (approximate) date on which the current version was web-posted by Guhring. But (of course) cached copies are not the same as archival versions. -- https://financialcryptography.com/mt/archives/000757.html: June 25, 2006 FC++3 - Advances in Financial Cryptography, Number Three A quick glance at the calendar reveals that it has been a year since the last FC++. Too long, so amends must be made! Our experiment in peer-reviewed, pre-review continues. Advances in Financial Cryptography, Number Three is released as three blog posts to follow. This issue introduces capabilities, software engineering and dash of economics, all with relevance to this year's emerging security crisis. Mark Miller, Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control Philipp Gühring, Concepts against Man-In-The-Browser Attacks Ian Grigg, The Market for Silver Bullets Our mission is to solicit comments, feedback, and criticism from peers in the financial cryptography community in order to polish these documents for wider publication. To that end there will be 3 blog entries following, each with the abstract of the paper concerned. You can comment directly on the blog, or at a pinch mail the author directly. For earlier issues, see #1 and #2. Great content, great comments - thanks to all the critics out there and sharpen that pen again. For those who wish to link to FC++ and pick up all the advances without the rest of the blog, use this URL: https://www.financialcryptography.com/mt/archives/cat_fc.html which will get you the category including all articles. Note that you can drop the https if you are annoyed at the CAcert popup! Posted by iang at June 25, 2006 02:32 PM | TrackBack - http://www.financialcryptography.com/mt/archives/000758.html is a blog with some interesting critiques. --