abstact The web spoofing describes an Internet security attack that could endanger the privacyof World Wide

Web users and the integrity of their data. The attack can be carried outon today's systems, endangering users of the most common Web browsers. Webs poofing allows an attacker to create a "shadow copy" of the entire World Wide Web.Accesses to the shadow Web are funneled through the attackers machine, allowing theattacker to monitor all of the victim's activities including any passwords or accountnumbers the victim enters. The attacker can also cause false or misleading data to besent to Web servers in the victim's name, or to the victim in the name of any Webserver. In short, the attacker observes and controls everything the victim does on theWeb. First, the attacker causes a browser window to be created on the victim's machine,with some of the normal status and menu information replaced by identical-lookingcomponents supplied by the attacker. Then, the attacker causes all Web pages destinedfor the victim's machine to be routed through the attacker's server. On the attackersserver, the pages are rewritten in such a way that their appearance does not change atall, but any actions taken by the victim would be logged by the attacker. In addition, anyattempt by the victim to load a new page would cause the newly-loaded page to berouted through the attacker's server, so the attack would continue on the new page.Theattack is initiated when the victim visits a malicious Web page, or receives a maliciousemail message. WHAT IS SPOOFING?12 . I N R T O D U C T I O N 3 . H O W W E B S P O O F I N G W O R K S 2 4. SPOOFING THE W H O L E W E B 35 . H O W T H E A T T A C K W O R K S 5 . 1 U R L R e w r i t t i n g 7 5 . 2 F o r m s 8 5.3 "Secure" connections don't h e l p 95 . 4 S t a r t i n g t h e A t t a c k 5 . 5 A n e x a m p l e f r o m r e a l l i f e 6 . C O M P L E T I N G T H E I L L U S I O N 1 0 1 2 6 . 1 T h e S t a t u s L i n e 1 0 6 . 2 T h e L o c a t i o n L i n e 1 1 6 . 3 V i e w i n g t h e D o c u m e n t S o u r c e 126 . 4 B o okmarks 7. WEB SPOOFING DEMONSTRATION138 . T R A C I N G T H E A T T A C K E R 1 4 9 . R E M E D I E S 159 . 1 S h o r t T e r m Solutions9.2 Long Term Solutions 10. IMPLICATIONS161 1 . C O N C L U S I O N 17191 1 . 1 G u i d e l i n e s 1 1 . 2 S o l u t i o n s 1 2 . R E F E R E N C E S 20

WEB SPOOFING 1. WHAT IS SPOOFING? Spoofing means pretending to be something you are not. In Internet terms itmeans pretending to be a different Internet address from the one you really have inorder to gain something. That might be information like credit card numbers,passwords, personal information or the ability to carry out actions using someone elsesidentity. INTRODUCTION Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine,al l owing t he att acker to m onit or t he all of t he vi ctim 's act iviti es inclu di ng an ypasswords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in thename of any Web server. In short, the attacker observes and controls everything thevictim does on the Web.Web Spoofing is a security attack that allows an adversary to observe andmodify all web pages sent to the victim's machine, and observe all information enteredinto forms by the victim. Web Spoofing works on both of the major browsers and isnotprevented by "secure" connections. The attacker can observe and modify all web pagesand form submissions, even when the browser's "secure connection" indicator is lit. Theuser sees no indication that anything is wrong.The attack is implemented using JavaScript and Web server plug- ins, and worksin two parts. First, the attacker causes a browser window to be created on the victim'smachine, with some of the normal status and menu information replaced by identical-looking components supplied by the attacker. Then, the attacker causes all Web pagesdestined for the victim's machine to be routed through the attacker's server. On theattacker's server, the pages are rewritten in such a way that their appearance does notchange at all, but any actions taken by the victim (such as clicking on a link) would belogged by the attacker. In addition, any attempt by the victim to load a new page wouldcause the newly-loaded page to be routed through the attacker's server, so the attack woul d conti nue on the new page.The at t ack i s initi at ed when t he vi cti m vis it s amalicious Web page, or receives a malicious email message (if the victim uses anHTML-enabled email reader). 3. HOW WEB SPOOFING WORKS? Web spoofing is a kind of electronic con game in which the attacker creates aconvincing but false copy of the entire World Wide Web. The false Web looks just likethe real one: it has all the same pages and links. However, the attacker controls the falseWeb, so that all network traffic between the victim's browser and the Web goes throughthe attacker. Consequences Since the attacker can observe or modify any data going from the victimto Web servers, as well as controlling all return traffic from Web servers to thevictim, the attacker has many possibilities. These include surveillance and tampering

. Surveillance The attacker can passively watch the traffic, recording which pages thevictim visits and the contents of those pages. When the victim fills out a form, the entered data is transmitted to a Web server, so the attacker can record that too, alongwith the response sent back by the server. Since most on-line commerce is done viaforms, this means the attacker can observe any account numbers or passwords thevictim enters .The at tacker can carr y out surveil l ance even i f the vi ct im has a "secure"connec tion (usually via Secure Sockets Layer) to the server, that is, even if the victim'sbrowser shows the secure-connection icon (usually an image of a lock or a key). Tampering The attacker is also free to modify any of the data traveling in either direction between the victim and the Web. The attacker can modify form data submittedby the victim. For example, if the victim is ordering a product on-line, the attacker canchange the product number, the quantity, or the ship-to address.The attacker can also modify the data returned by a Web server, for example byinserting misleading or offensive material in order to trick the victim or to causeantagonism between the victim and the server. Spoofing the Whole Web You may think it is difficult for the attacker to spoof the entire World Wide Web, but it is not. The attacker need not store the entire contents of the Web. The whole Web is available on-line; the attacker's server can just fetch a page from the realWeb when it needs to provide a copy of the page on the false Web. How the Attack Works The key to this attack is for the attacker's Web server to sit between thevictim and the rest of the Web. This kind of arrangement is called a "man in the middleattack" in the security literature. We are mostly interested in the web spoofing attack, which exploits thisvulnerability, by directing the browser to an adversarycontrolled clone site thatresembles the original, victim site, which the user wanted to access. Web spoofingat t acks are ver y com m on, and are t he m ost severe t hreat t o secure ecomm erce currently. As we explain below, most web spoofing attackers simply rely on the fact thatmany users may not notice an incorrect URL or the lack of SSL indicator, whenapproaching their online banking site (or other sensitive site). Therefore, an attacker cancircumvent the SSL site authentication trivially, by not using SSL and/or by using aURL belonging to a domain owned or controlled by the attacker, for which the attacker can obtain a certificate. More advanced attacks can mislead even users that validate theSSL indicator and location bar (containing URL).13

Web SpoofingFig 7.1 HTTP request response process with SSL protectionThe first challenge for a web spoofing attack is to cause the browser to receive the clonesite, when the customer is really looking for the victim site. The attacker can exploitdifferent parts of the process of receiving a (sensitive) web page. We illustrate the typical scenario of receiving a sensitive web page in Figure 3. The process begins whenthe user selects the web site, by entering its location (URL) or by invoking a bookmark or link, e.g. in an e-mail message (step 1a). The browser, or the underlying transportlayer, then sends the name of the domain of the site, e.g. xxx.com, to a Domain NameServer (step 2a). The Domain Name Server returns the IP address of the site (step 2b).Now, the client sends an HTTP request to the site, using the IP address of the site (step3a), and receives the HTTP response containing the web page (step 3b); these two stepsare protected by SSL, if the URL indicates the use of SSL (by using the https protocol inthe URL).Most web-spoofing attacks, however, use methods which do not require either interception of messages to `honest` web sites, or corruption of servers or of the DNSresponse; these methods work even for the weak `unallocated domain` adversary. Onemethod isURL redirection, due to Felten et al. [FB*97]. This attack begins when theuser accesses any `malicious` web site controlled by the attacker, e.g. containing somecontent; this is the parallel of a Trojan software, except that users are less cautious aboutapproaching untrusted web sites, as browsers are supposed to remain secure. The attack works if the user continues surfing by following different links from this malicious site.The site provides modified versions of the requested pages, where all links invoke themalicious site, which redirects the queries to their intended target. This allows

themalicious site to continue inspecting and modifying requests and responses without theuser noticing, as long as the user follows links. However, this attack requires theattacker to attract the user to the malicious web site. In practice, attackers usually use aneven easier method to direct the user to the spoofed site: phishing spoofing attacks,usually using spam e-mail messages. In Figure 4 we describe the process of typicalphishing attack used to lure the user into a spoofed web site.The adversary first buys some unallocated domain name, often related to the name of the target, victim web site. Then, the adversary sends spam (unsolicited e- mail) to many users; this spam contains a `phishing bait message`, luring the user to follow a link embedded in the bait message. The mail message is a forgery: its source address isof the victim entity, e.g. a bank that the user uses (or may use), and its contents attemptto coerce the user into following a link in the message, supposedly to the victim organization, but actually to the phishing site. If the victim entity signs all its e -mail,e.g. using S/MIME or PGP [Z95], then our techniques (described later on) could allowthe user to detect thisFig 7.2 process of typical phishing spoofing attack fraud. However, currently only a tiny fraction of the organizations signs outgoing e-mail, therefore, this is not an option, and many nave users may click on the link in themessage, supposedly to an important service from the victim entity. The link actuallyconnects the users to the spoofed web site, emulating the site of the victim entity, wherethe user provides information useful to the attacker, such as credit card number, name,e-mail addresses, and other information. The attacker stores the information in some`stolen information` database; among other usages, he also uses the credit card number to purchase additional domains, and the e-mail addresses and name to create moreconvincing spam messages (e.g. to friends of this user).Currently most phishing attackslure the users by using spam (unsolicited, undesirable e mail), as described above.However, we define phishing spoofing attack as (any method of) luring the user into

many users; this spam contains a `phishing bait message`, luring the user to follow a link embedded in the bait message. The mail message is a forgery: its source address isof the victim entity, e.g. a bank that the user uses (or may use), and its contents attemptto coerce the user into following a link in the message, supposedly to the victim organization, but actually to the phishing site. If the victim entity signs all its e -mail,e.g. using S/MIME or PGP [Z95], then our techniques (described later on) could allowthe user to detect thisFig 7.2 process of typical phishing spoofing attack fraud. However, currently only a tiny fraction of the organizations signs outgoing e-mail, therefore, this is not an option, and many nave users may click on the link in themessage, supposedly to an important service from the victim entity. The link actuallyconnects the users to the spoofed web site, emulating the site of the victim entity, wherethe user provides information useful to the attacker, such as credit card number, name,e-mail addresses, and other information. The attacker stores the information in some`stolen information` database; among other usages, he also uses the credit card number to purchase additional domains, and the e-mail addresses and name to create moreconvincing spam messages (e.g. to friends of this user).Currently most phishing attackslure the users by using spam (unsolicited, undesirable e mail), as described above.However, we define phishing spoofing attack as (any method of) luring the user into directing his browser to approach a spoofed web site. For example, an attacker coulduse banner-ads or other ads to lure users to the spoofed site. We believe spam is themain phishing tool simply since currently spam is extremely cheap and hard to traceback to the attacker. Spamming is causing many other damages, in particular waste of human time and attention, and of computer resources. Currently, the most common protection against spam appears to be content based filtering; however, since phishingattacks emulate valid email from (financial) service providers, we expect it to pass content- based filtering. Proposals for controlling and preventing spam, e.g. [CSRI04,He04], may also help to prevent or at least reduce spam-based phishing. Most phishingspoofing attacks require only an unallocated web address and server, but do not requireintercepting (HTTP) requests of the user; therefore, even weak attackers can deploythem. This may explain their popularity . This means that the domain name used in thephishing attack is different from the domain name of the victim organization. 5.1 URL Rewriting The attacker's first trick is to rewrite all of the URLs on some Web page sothat they point to the attacker's server rather than to some real server. Assuming theattacker's server is on the machine www.attacker.org, the attacker rewrites a URL byadding http://www.attacker.org to the front of the URL. For example, http://home.netscape.com becomeshttp://www.attacker.org/http://home.netscape.com.The victim's browser requests the page from www.attacker.org, since the URLstarts with http://www.attacker.org. The remainder of the URL tells the attacker's server where on the Web to go to get the real document.Once the attacker's server has fetched the real document needed to satisfy therequest, the attacker rewrites all of the URLs in the document into the same special formby splicing http://www.attacker.org/ onto the front. Then the attacker's server providesthe rewritten page to the victim's browser.Since all of the URLs in the rewritten page now point to

www.attacker.org, if the victim follows a link on the new page, the page will again be fetched through theattacker's server. The victim remains trapped in the attacker's false Web, and can followlinks forever without leaving it.

5.2 Forms If the victim fills out a form on a page in a false Web, the result appears to behandled properly. Spoofing of forms works naturally because forms are integrated closely into the basic Web protocols: form submissions are encoded in URLs and thereplies are ordinary HTML. Since any URL can be spoofed, forms can also be spoofed.When the victim submits a form, the submitted data goes to the attacker's server. Theattacker's server can observe and even modify the submitted data, doing whateve r malicious editing desired, before passing it on to the real server. The attacker's server can also modify the data returned in response to the form submission

5.3 "Secure" connections don't help One distressing property of this attack is that it works even when the victimrequests a page via a "secure" connection. If the victim does a "secure" Web access (aWeb access using the Secure Sockets Layer) in a false Web, everything will appear normal: the page will be delivered, and the secure connection indicator (usually an image of a lock or key) will be turned on. What is SSL? SSL stands for Secure Sockets Layer. This protocol, designed by NetscapeCommunic ations Corp., is used to send encrypted HTTP (Web) transactions.Seeing "https" in the URL box on your browser means SSL is being used toencrypt data as it travels from your browser to the server. This helps protect sensitiveinformation--social security and credit card numbers, bank account balances, and other personal information--as it is sent.The victim's browser says it has a secure connection because it does have one.Unfortunately the secure connection is to www.attacker.org and not to the place thevictim thinks it is. The victim's browser thinks everything is fine: it was told to access aURL at www.attacker.org so it made a secure connection to www.attacker.org. Thesecure-connection indicator only gives the victim a false sense of security. 5.4 Starting the Attack To start an attack, the attacker must somehow lure the victim into the attacker'sfalse Web. There are several ways to do this.1) An attacker could put a link to a false Web onto a popular Web page.2) If the victim is using Web-enabled email, the attacker could email the victima pointer to a false Web, or even the contents of a page in a false Web.3) Finally, the attacker could trick a Web search engine into indexing part of afalse Web. 5.5 An example from real life As web surfers and users we must always be wary of the content of the web pages we surf, look for clues to spoofing, and report immediately to the providers. NEVER click on link provided to you in an e- mail from someone you dont know or trust.This is a very easy way to get you to that Hacker Intercept site! As an example,lets say you get the following e-mail from someone claiming to know you. Hi Johnny,I found this new book on gardening on Amazon and I thought you would enjoy it. Check it out... Bartholome Love,Mom Close inspection of the link above provides the following:http://www.amazone.com/exec/obidos/search-handleform/102-7984499-0468854The link points to amazon e .com instead of amazon.com. Everything else in thelink is genuine. So before buying this great new book recommended by Mom, youll bestopping by and visiting the folks at amazon e .com and giving them your credit cardnumber, expiration date, name, address and phone. COMPLETING THE ILLUSION The attack as described thus far is fairly effective, but it is not perfect. There is still some remaining context that can give the victim clues that the attack is going on. However,

it is possible for the attacker to eliminate virtually all of the remaining cluesof the attack's existence.Such evidence is not too hard to eliminate because browsers are verycustomizable. The ability of a Web page to control browser behavior is often desirable,but when the page is hostile it can be dangerous.Another artifact of this kind of attack is that the pages returned by the hacker intercept are stored in the users browse r cache, and based on the additional actionstaken by the user; the spoofed pages may live on long after the session is terminated. 6.1 The Status Line The status line is a single line of text at the bottom of the browser window that displays various messages, typically about the status of pending Web transfers The attack as described so far leaves two kinds of evidence on the status line. First, when the mouse is held over a Web link, the status line displays the URL the link points to. Thus, the victim might notice that a URL has been rewritten. Second, when apage is being fetched, the status line briefly displays the name of the server being contacted. Thus, the victim might notice that www.attacker.org is displayed when someother name was expected.The attacker can cover up both of these cues by adding a JavaScript programto every rewritten page. Since JavaScript programs can write to the status line, and sinceit is possible to bind JavaScript actions to the relevant events, the attacker can arrangethings so that the status line participates in the con game, always showing the victim what would have been on the status line in the real Web. Thus the spoofed context becomes even more convincing. 6.2 The Location Line The browser's location line displays the URL of the page currently being shown.The victim can also type a URL into the location line, sending the browser to that URL.The attack as described so far causes a rewritten URL to appear in the location line, giving the victim a possible indication that an attack is in progress.This clue can be hidden using JavaScript. A JavaScript program can hide the reallocation line and replace it by a fake location line which looks right and is in theexpected place. The fake location line can show the URL the victim expects to see. Thefake location line can also accept keyboard input, allowing the victim to type in URLsnormally. Typed-in URLs can be rewritten by the JavaScript program before beingaccessed

6.3 Viewing the Document Source There is one clue that the attacker cannot eliminate, but it is very unlikely to benoticed.By using the browser's "view source" feature, the victim can look at the HTMLsource for the currently displayed page. By looking for rewritten URLs in the HTMLsource, the victim can spot the attac k. Unfortunately, HTML source is hard for noviceusers to read, and ver y few W eb s urfers bot her to l ook at t he HTML source for documents they are visiting, so this provides very little protection.A related clue is available if the victim chooses the browser 's "view document information" menu item. This will display information including the document's real URL, possibly allowing the victim to notice the attack. As above, this option is almostnever used so it is very unlikely that it will provide much protection. 6.4 Bookmarks There are several ways the victim might accidentally leave the attacker's false Web during the attack. Accessing a bookmark or jumping to a URL by using the browser's "Open location" menu item might lead the victim back into the real Web. The victim might then reenter the false Web by clicking the "Back" button. We can imaginet hat t he vi ctim m i ght wander in and out of one or m ore false W ebs. Of c ours e, bookmarks can also work against the victim, since it is possible to bookmark a page in afalse Web. Jumping to such a bookmark would lead the victim into a false Web again. 6. WEB SPOOFING DEMONSTRATION

The HTML Source Code <HTML><HEAD><TITLE>Web Spoofing Demonstration</TITLE></HEAD><BODY onload=init()><HR><H2>Spoofing</H2><P>In both the cases below, if you mouseover the link below, you'll see http://basement.dartmouth.edu" in the status line at the bottom of your screen.<P>If you click on it, and you're not susceptible, then you'll actually go there.<P>If you click on it, and you are suscepti ble, then we'll pop open a newwindow for you.<P><A onclick="return openWin();"href="http://basement.dartmouth.edu/"> Click here to see a spoof, if you're configuredcorrectly.</A></P><P><A onclick="javascript:openRealWin();return false;"href="http://basement.dartmouth.edu/">Click here to see the real basementsite</A></P><P><HR></BODY></HTML> The HTML Page as seen Spoofing In both the cases below, if you mouse-over the link below, you'll see"http://basement.dartmouth.edu" in the status line at the bottom of your screen.If you click on it, and you're not susceptible, then you'll actually go there.If you click on it, and you are susceptible, then we'll pop open a new window for you.Click here to see a spoof, if you're configured correctly.Click here to see the real basement site TRACING THE ATTACKER Some people have suggested that this attack can be deterred by finding and punishing the attacker. It is true that the attacker's server must reveal its location inorder to carry out the attack, and that evidence of that location will almost certainly beavailable after an attack is detected.Unfortunately, this will not help much in practice because attackers will break into the machine of some innocent person and launch the attack there. Stolen machineswill be used in these attacks. REMEDIES Web spoofing is a dangerous and nearly undetectable security attack that can becarried out on today's Internet. Fortunately there are some protective measures you cantake. 9.1 Short-term Solution In the short run, the best defense is to follow a three-part strategy:1. disable JavaScript in your browser so the attacker will be unable to hide theevidence of the attack;2. make sure your browser's location line is always visible; 3. pay attention to the URLs displayed on your browser's location line, making surethey always point to the server you think you're connected to.This strategy will significantly lower the risk of attack, though you could still bevictimized if you are not conscientious about watching the location line.At present, JavaScript, ActiveX, and Java all tend to facilitate spoofing and other security attacks, so we recommend that you disable them. Doing so will cause you tolose some useful functionality, but you can recoup much of this loss by selectivelyturning on these features when you visit a trusted site that requires them. 9.2 Long-term Solution We do not know of a fully satisfactory long-term solution to this problem.Changing browsers so they always display the location line would help, although userswould still have to be vigilant and know how to recognize rewritten URLs.For pages that are not fetched via a secure connection, there is not much morethat can be

done.For pages fetched via a secure connection, an improved secureconnectionindicator could help. Rather than simply indicating a secure connection, browsersshould clearly say who is at the other end of the connection. This information should bedisplayed in plain language, in a manner intelligible to novice users; it should saysomething like "Microsoft Inc." rather than "www.microsoft.com."Every approach to this problem seems to rely on the vigilance of Web users.Whether we can realistically expect everyone to be vigilant all of the time is debatable. 7. IMPLICATIONS What are the current risks to Web users? Since spoofing each aspect of behavior of each common platform takes a lot of work, we do not believe that convincing long- lived shadow Web attacks are likely. However, short-lived sessions with narrow user behavior are much more susceptible. Intheory, we could have connected our spoofed page to the real WebBlitz service, put outsome misleading links, and monitored our fr iends email. The emergence of common user interface technologies is also leading to a continued blurring of the boundariesbetween what servers and browsers tell users, and between internal and external datapaths.For example, Netscapes Personal Security Manager has been touted as the solution toclient security management. However, the sequence of windows that pop up to collectthe users password that protects these client keys are all easily spoofable enablingremote malicious servers to learn these passwords. Further exploration here would beinteresting. Another interesting area would be to explore the potential of using spoofingfor users of Web-like OS interfaces.We are also examining the de facto semantics that current browsers offer for certificatehandling for various devious but legal sessions 8. CONCLUSION In the developer community, currently web users, and in particular naveusers, are vulnerable to different web spoofing attacks; elsewhere, phishing an dspoofing attacks are in fact increasingly common. In this paper, we describe browser and protocol extensions that we are designing and implementing, that will help preventwebspoofing (and phishing) attacks. The main idea is to enhance browsers with a mandatory Trust Bar (Trust Bar), with a fixed location at the top of every web page Themost important credential is probably the Logo of the organization, used to provide andre- enforce the brand; and, when some trusted authority certifies the logo or other credentials of the site, the logo of that trusted authority (e.g. certificate authority). Our hope is that browser developers will incorporate the Trust Bar as soon as possible, i.e.make Trust Bar-enabled browsers. We hope to soon make available the source code of our implementation of the Trust Bar (for the Mozilla browser), and we will be happy tocooperate with others on creating highquality open source code available. To conclude this paper, we present conclusions and recommendations for usersand owners of sensitive web sites, such as e-commerce sites, for the period untilbrowser are Trust Bar- enabled. We also note that even when using Trust Bar-enabled browsers, viruses and other malicious software may still be able to create unauthorized transactions, due to operating system vulnerabilities. We

recommend that highly sensitive web sites such as e-brokerage consider authorizing transactions using more secure hardware modules (see below).Conclusions for Users of Sensitive Web-sites 11.1 GUIDELINES Users should follow to increase their security 1. Use an Trust Bar-enhanced browser, using its `opportunistic logo identification`mechanism to establish logos for each of your sensitive webpages. The authorsdeveloped and use a simple Trust Bar extension to the Mozilla browser, and plan tomake it available for download from their homepages soon (after some final touches).2 . Always contact sensitive web sites by typing their address in the location bar, usinga bookmark or following a link from a secure site, preferably protected by SSL/TLS.3 . Never click on links from e-mail messages or from other non- trustworthy sources(such as shady or possibly insecure web sites). These could lead you to a `URLforwarding` man-in-the-middle attack, which may be hard or impossible to detect, evenif you follow guideline 1 above.4 . Be very careful to inspect the location bar and the SSL icon upon entering tosensitive web pages. Preferably, set up your browser to display the details of thecertificate upon entering your most sensitive sites (most browsers can do this); this willhelp you notice the use of SSL and avoid most attacks. Do not trust indications of security and of the use of SSL when they appear as part of the web page, even when thispage belongs to trustworthy organizations.5.If possible, restrict the damages due to spoofing by instructing youre financialservices to limit online transactions in your account to cover only what you really need.Furthermore, consider using sensitive online services that use additional protectionm echanisms beyond SSL. Conclusions for Owners of Sensitive Web-sites Owners of sensitive web-sites are often financial institutions, with substantial interest in securityand ability to influence their consumers and often even software developers. 11.2 SOLUTIONS That the entities should follow 1 .Provide your customers with a browser with security enhancements as described here,and encourage them to i nst al l and use i t. W e noti ce t hat t he basic `Trust B ar`enhancement, available in our site as of August 2004 for Mozilla, may suffice for mostsites and customers. Many software integrators can perform such enhancements toMozilla and other browsers easily, possibly taking advantage of the source code of our implementation.2 .Use means of authenticating transactions that are not vulnerable to web spoofing. Inparticular, `challenge-response` and similar onetime user authentication solutions canbe effective against offline spoofing attacks (but may still fail against a determinedattacker who is spoofing your web site actively in a `man in the middle` attack). UsingSSL client authentication can be even more effective, and avoid the hardware token (butmay be more complex and less convenient to the user).3 .Protect, using SSL/TLS, as many of your web pages as is feasible. In particular, bes ure t hat ever y web form, i .e. web page requesti ng the user to ent er (sensi ti ve)inform at ion, is properl y prot ect ed when it i s sent to t he user. Noti ce t hat m an yrespectable companies (probably using respectable web-site designers) were not

carefulenough and have insecure web pages asking users to enter sensitive information, asshown in Figure 5; this is insecure (the site may invoke SSL to protect the information,but the user cannot know this is not a spoofing site i.e. this practice allows a spoofingsite to collect passwords).4 . Use cookies to personalize the main web page of each customer, e.g. includepersonal greeting by name and/or by a personalized mark/picture (e.g. see [PM04]).Also, warn users against using the page if the personal greeting is absent. This will foil many of the phishing attacks, which will be unable to present personalized pages. Wealso recommend that site owners are careful to educate consumers on the secure weband e-mail usage guidelines, including these mentioned above, as well as educate themon the structure of domain name and how to identify their corporate domains. This mayinclude restricting corporate domains to only these that end with a clear corporateidentity 12.REFERENCES 1. http://webm asters-f orum s.com/web-spoofing-t-402.htm l2.http://www.washington.edu/computing/windows/issue22/spoofing.html3. http://www.cs.princeton.edu/sip/WebSpoof ing/4. http://www.cs.princeton.edu/sip/pub/spoofing.html