We present the trusted credentials area, a simple and practical browser UI enhancement, which allows secure identification of sites and validation of their credentials, thereby preventing web-spoofing, even for na´ve users. The trusted credentials area is a fixed part of the browser window, which displays only authenticated credentials, and in particular logos, icons and seals. In fact, we recommend that web sites always provide credentials (e .g. logo) securely, and present them in the trusted credentials area; this will help users to notice the absence of secure logo in spoofed sites.
Existing web security mechanisms (SSL/TLS) may cause substantial overhead if applied to
most web pages, as required for securing credentials (e.g. logo) of each page; we present
a simple alternative mechanism to secure web pages and credentials, with acceptable
overhead. Finally, we suggest additional anti-spoofing measures for site owners and web
users, mainly until deployment of the trusted credentials area.
Paper Available at: ftp://dimacs.rutgers.edu/pub/dimacs/TechnicalReports/TechReports/2004/2004-23.pdf