Secure Input for Web Applications

The Web is an indispensable part of our lives. Every day, millions of users purchase items, transfer money, retrieve information and communicate over the Web. Although the Web is convenient for many users because it provides any time, anywhere access to information and services, at the same time, it has also become a prime target for miscreants who attack unsuspecting Web users with the aim of making an easy profit. The last years have shown a significant rise in the number of Web-based attacks, highlighting the importance of techniques and tools for increasing the security of Web applications. An important Web security research problem is how to enable a user on an untrusted platform (e.g., a computer that has been compromised by malware) to securely transmit information to a Web application. Solutions that have been proposed to date are mostly hardware-based and require (often expensive) peripheral devices such as smart-card readers and chip cards. In this paper, we discuss some common aspects of client-side attacks (e.g., Trojan horses) against Web applications and present two simple techniques that can be used by Web applications to enable secure user input. We also conducted two usability studies to examine whether the techniques that we propose are feasible.