{"175571":{"#nid":"175571","#data":{"type":"news","title":"Mobile Browsers Fail Georgia Tech Safety Test","body":[{"value":"\u003Cp\u003E\u003Cstrong\u003EATLANTA \u2013 Dec. 5, 2012 \u2013\u003C\/strong\u003E How unsafe are mobile browsers? Unsafe enough that even cyber-security experts are unable to detect when their smartphone browsers have landed on potentially dangerous websites, according to a recent Georgia Tech study.\u003C\/p\u003E\u003Cp\u003ELike their counterparts for desktop platforms, mobile browsers incorporate a range of security and cryptographic tools to provide a secure Web-browsing experience. However in one critical area that informs user decisions\u2014the incorporation of tiny graphical indicators in a browser\u2019s URL field\u2014all of the leading mobile browsers fail to meet security guidelines recommended by the World Wide Web Consortium (W3C) for browser safety, leaving even expert users with no way to determine if the websites they visit are real or imposter sites phishing for personal data.\u003C\/p\u003E\u003Cp\u003E\u201cWe found vulnerabilities in all 10 of the mobile browsers we tested, which together account for more than 90 percent of the mobile browsers in use today in the United States,\u201d said Patrick Traynor, assistant professor in Georgia Tech\u2019s School of Computer Science. \u201cThe basic question we asked was, \u2018Does this browser provide enough information for even an information-security expert to determine security standing?\u2019 With all 10 of the leading browsers on the market today, the answer was no.\u201d\u003C\/p\u003E\u003Cp\u003EThe graphic icons at issue are called either SSL (\u201csecure sockets layer\u201d) or TLS (\u201ctransport layer security\u201d) indicators, and they serve to alert users (a) when their connection to the destination website is secure and (b) that the website they see is actually the site they intended to visit. The tiny \u201clock\u201d icon that typically appears in a desktop browser window when users are providing payment information in an online transaction is one example of an SSL indicator. Another is the \u201chttps\u201d keyword that appears in the beginning of a desktop browser\u2019s URL field.\u003C\/p\u003E\u003Cp\u003EThe \u003Ca href=\u0022http:\/\/www.w3.org\/TR\/2008\/NOTE-wsc-usecases-20080306\/\u0022 target=\u0022_blank\u0022\u003EW3C has issued specific recommendations\u003C\/a\u003E for how SSL indicators should be built into a browser\u2019s user interface, and for the most part, Traynor said, desktop browsers do a good job of following those recommendations. In mobile browsers, however, the guidelines are followed inconsistently at best and often not at all.\u003C\/p\u003E\u003Cp\u003EThe principal reason for this, Traynor admits, is the much smaller screen size with which designers of mobile browsers have to work. Often there simply isn\u2019t room to incorporate SSL indicators in same way as with desktop browsers. However, given that mobile devices are widely predicted to face more frequent attacks from cyber-criminals, the vulnerability is almost sure to lead to increased cyber-crime unless it is addressed.\u003C\/p\u003E\u003Cp\u003E\u201cResearch has shown that mobile browser users are three times more likely to access phishing sites than users of desktop browsers,\u201d said Chaitrali Amrutkar, a Ph.D. student in the School of Computer Science and principal author of the paper that described the SSL research. \u201cIs that all due to the lack of these SSL indicators? Probably not, but giving these tools a consistent and complete presence in mobile browsers would definitely help.\u201d\u003C\/p\u003E\u003Cp\u003EThe paper, \u201c\u003Ca href=\u0022http:\/\/link.springer.com\/chapter\/10.1007\/978-3-642-33383-5_6?null\u0022 target=\u0022_blank\u0022\u003EMeasuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road\u003C\/a\u003E,\u201d earned Amrutkar a Best Student Paper award at this year\u2019s \u003Ca href=\u0022http:\/\/web.sec.uni-passau.de\/isc2012\/\u0022 target=\u0022_blank\u0022\u003EInformation Security Conference\u003C\/a\u003E, held Sept. 19-21 in Passau, Germany. Traynor and Amrutkar said the study, essentially a measurement analysis of the current state of visual security indicators in mobile browsers, is a necessary first step in developing a uniform set of security recommendations that can apply to mobile browsers.\u003C\/p\u003E\u003Cp\u003E\u201cWe understand the dilemma facing designers of mobile browsers, and it looks like all of them tried to do the best they could in balancing everything that has to fit within those small screens,\u201d Traynor said. \u201cBut the fact is that all of them ended up doing something just a little different\u2014and all inferior to desktop browsers. With a little coordination, we can do a better job and make mobile browsing a safer experience for all users.\u201d\u003C\/p\u003E\u003Cp\u003E###\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EContacts\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EMichael Terrazas\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003EAssistant Director of Communications\u003C\/p\u003E\u003Cp\u003ECollege of Computing at Georgia Tech\u003C\/p\u003E\u003Cp\u003E\u003Ca href=\u0022mail\u0022\u003Emterraza@cc.gatech.edu\u003C\/a\u003E\u003C\/p\u003E\u003Cp\u003E404-245-0707\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":[{"value":"Study finds security indicators sacrificed to accommodate small screens"}],"field_summary":[{"value":"\u003Cp\u003E\u003Cstrong\u003EATLANTA \u2013 Dec. 5, 2012 \u2013\u003C\/strong\u003E How unsafe are mobile browsers? Unsafe enough that even cyber-security experts are unable to detect when their smartphone browsers have landed on potentially dangerous websites, according to a recent Georgia Tech study. \u003Cem\u003ESource: Office of Communications\u003C\/em\u003E\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"Study finds security indicators sacrificed to accommodate small screens."}],"uid":"27174","created_gmt":"2012-12-05 10:09:51","changed_gmt":"2016-10-08 03:13:18","author":"Mike Terrazas","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2012-12-05T00:00:00-05:00","iso_date":"2012-12-05T00:00:00-05:00","tz":"America\/New_York"},"extras":[],"hg_media":{"175581":{"id":"175581","type":"image","title":"Patrick Traynor SSL image","body":null,"created":"1449179022","gmt_created":"2015-12-03 21:43:42","changed":"1475894819","gmt_changed":"2016-10-08 02:46:59","alt":"Patrick Traynor SSL image","file":{"fid":"195848","name":"traynor_ssl_indicators.jpeg","image_path":"\/sites\/default\/files\/images\/traynor_ssl_indicators_0.jpeg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/traynor_ssl_indicators_0.jpeg","mime":"image\/jpeg","size":1718964,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/traynor_ssl_indicators_0.jpeg?itok=PJpelzxq"}},"175591":{"id":"175591","type":"image","title":"SSL indicators image","body":null,"created":"1449179022","gmt_created":"2015-12-03 21:43:42","changed":"1475894819","gmt_changed":"2016-10-08 02:46:59","alt":"SSL indicators image","file":{"fid":"195849","name":"ssl_indicators.jpeg","image_path":"\/sites\/default\/files\/images\/ssl_indicators_0.jpeg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/ssl_indicators_0.jpeg","mime":"image\/jpeg","size":3728770,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/ssl_indicators_0.jpeg?itok=rZJXRfy8"}}},"media_ids":["175581","175591"],"groups":[{"id":"1183","name":"Home"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"135","name":"Research"}],"keywords":[{"id":"2678","name":"information security"},{"id":"12739","name":"mobile devices"},{"id":"13274","name":"patrick traynor"},{"id":"166941","name":"School of Computer Science"},{"id":"168927","name":"smartphones"},{"id":"52211","name":"tablets"},{"id":"52221","name":"web browsers"}],"core_research_areas":[{"id":"39481","name":"National Security"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Ca href=\u0022mailto:mterraza@cc.gatech.edu\u0022\u003EMichael Terrazas\u003C\/a\u003E\u003C\/p\u003E\u003Cp\u003E404-245-0707\u003C\/p\u003E","format":"limited_html"}],"email":["mterraza@cc.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}