How unsafe are mobile browsers? Unsafe enough that even cyber-security experts are unable to detect when their smartphone browsers have landed on potentially dangerous sites, according to a recent Georgia Tech study.
Like their counterparts for desktop platforms, mobile browsers incorporate a range of security and cryptographic tools to provide a secure Web-browsing experience. However in one critical area that informs user decisions – the incorporation of tiny graphical indicators in a browser’s URL field – all of the leading mobile browsers fail to meet security guidelines recommended by the World Wide Web Consortium (W3C) for browser safety, leaving even expert users with no way to determine if the Web sites they visit are real or imposter sites phishing for personal data.
“We found vulnerabilities in all 10 of the mobile browsers we tested,” said Patrick Traynor, assistant professor at Georgia Tech. “The basic question we asked was, ‘Does this browser provide enough information for even an information-security expert to determine security standing?’ With all 10 of the leading browsers on the market today, the answer was no.”
The graphic icons at issue are called either SSL (“secure sockets layer”) or TLS (“transport layer security”) indicators, and they serve to alert users when their connection to the destination Web site is secure and that the Web site they see is actually the site they intended to visit. The tiny “lock” icon that typically appears in a desktop browser window when users are providing payment information in an online transaction is one example of an SSL indicator. Another is the “https” keyword that appears in the beginning of a browser’s URL field.
The W3C has issued specific recommendations for how SSL indicators should be built into a browser, and for the most part, Traynor said, desktop browsers do a good job. In mobile browsers, however, the guidelines are followed inconsistently at best. The principal reason for this, is the much smaller screen size with which designers of mobile browsers have to work. Often there simply isn’t room to incorporate SSL indicators in same way as with desktop browsers. However, given that mobile devices are widely predicted to face more frequent attacks from cyber-criminals, the vulnerability is almost sure to lead to increased crime unless addressed.
“Research has shown that mobile browser users are three times more likely to access phishing sites than users of desktop browsers,” said Chaitrali Amrutkar, principal author of the paper that described the SSL research.
“We found vulnerabilities in all 10 of the mobile browsers we tested,” said Patrick Traynor, assistant professor at Georgia Tech. “The basic question we asked was, ‘Does this browser provide enough information for even an information-security expert to determine security standing?’ With all 10 of the leading browsers on the market today, the answer was no.”
The graphic icons at issue are called either SSL (“secure sockets layer”) or TLS (“transport layer security”) indicators, and they serve to alert users when their connection to the destination Web site is secure and that the Web site they see is actually the site they intended to visit. The tiny “lock” icon that typically appears in a desktop browser window when users are providing payment information in an online transaction is one example of an SSL indicator. Another is the “https” keyword that appears in the beginning of a browser’s URL field.
The W3C has issued specific recommendations for how SSL indicators should be built into a browser, and for the most part, Traynor said, desktop browsers do a good job. In mobile browsers, however, the guidelines are followed inconsistently at best. The principal reason for this, is the much smaller screen size with which designers of mobile browsers have to work. Often there simply isn’t room to incorporate SSL indicators in same way as with desktop browsers. However, given that mobile devices are widely predicted to face more frequent attacks from cyber-criminals, the vulnerability is almost sure to lead to increased crime unless addressed.
“Research has shown that mobile browser users are three times more likely to access phishing sites than users of desktop browsers,” said Chaitrali Amrutkar, principal author of the paper that described the SSL research.
No comments:
Post a Comment