This paper proposes new methods for web authentication that are secure against phishing and pharming attacks. We explore the use of browser cookies as authenticators that cannot inadvertently be given away by users, and introduce locked cookies, which are cookies that are bound to the originating server's public key. Locked cookies defeat phishing, pharming, and network-controlling active attacks, since the user's browser can verify that the attacker's public key is different from that of the server that set the cookie in the first place, even though the domain names may be the same. Locked cookies are transparent to the user and do not require any server-side changes. We evaluate and compare authentication schemes based on conventional cookies, IP cookies, and locked cookies.
Title
Locked cookies: Web authentication security against phishing, pharming, and active attacks
Published
2007-02-07
Full Collection Name
Electrical Engineering & Computer Sciences Technical Reports
Other Identifiers
EECS-2007-25
Type
Text
Extent
32 p
Archive
The Engineering Library
Usage Statement
Researchers may make free and open use of the UC Berkeley Library’s digitized public domain materials. However, some materials in our online collections may be protected by U.S. copyright law (Title 17, U.S.C.). Use or reproduction of materials protected by copyright beyond that allowed by fair use (Title 17, U.S.C. § 107) requires permission from the copyright owners. The use or reproduction of some materials may also be restricted by terms of University of California gift or purchase agreements, privacy and publicity rights, or trademark law. Responsibility for determining rights status and permissibility of any use or reproduction rests exclusively with the researcher. To learn more or make inquiries, please see our permissions policies (https://www.lib.berkeley.edu/about/permissions-policies).
