The results of a recent study on security design flaws in banking websites will be presented tomorrow at the Symposium on Usability and Privacy. The research was conducted by Dr. Atul Prakash, Laura Falk, and myself (Kevin Borders). It found that flaws, such as presenting login information on an insecure page, were widespread. What does this mean for the security of the internet at large? Will hackers routinely exploit these vulnerabilities to conduct widespread fraud in the future? And, the most important question: how do we fix it?

(more…)

Have you ever wanted to purchase a domain name for a website? The chances are that you had to spend hours testing out ______.com domain names before one was available that you liked. I have been in this situation many times and it is extremely frustrating. If each of the domain names were taken by other legitimate sites, it would be one thing. However, almost all domain names are registered by squatters whose sole purpose is to extort us, the rest of the people in the world who want good domains for their websites. Webmasters are not the only ones who have to bear this burden – everyone who uses the internet suffers by having to type in and remember longer and less-relevant domain names even though better ones are available.

Just like spammers, everybody hates what domain squatters do to the internet. Unlike junk e-mail, however, domain registration is controlled by central authorities who should be able to stop widespread domain squatting. You may wonder how domain squatting relates to security and why an article about it appears on this blog. Once you start considering actual policies that ICANN would put in place to combat domain squatting, they almost all seriously hinder legitimate registrants or suffer from loopholes that would allow domain squatters to continue their operations unimpeded. This article explores policies that ICANN may be able to enforce to make headway against the internet plague that is domain squatting.

(more…)

Ari Juels from RSA Laboratories gave a presentation during the first session of the USENIX security conference about eliminating click fraud by identifying legitimate users and giving increased value to their “premium” clicks. The system works by having attestors, which could be websites where the user has purchased something, vouch for the user. Also, traffic caps prevent a client from issuing too many premium clicks. All of this tracking would be done anonymously so as to protect the user’s privacy. (more…)