SessionJuggler: Secure Web Login From an Untrusted Terminal Using Session Hijacking
Authors: E. Bursztein, C. Soman, D. Boneh, and J. Mitchell
Abstract:
We use modern features of web browsers to develop a secure login
system from an untrusted terminal. The system, called SessionJuggler,
requires no server-side changes and no special software on the
terminal beyond a modern web browser. This important property makes
adoption much easier than with previous proposals. With
SessionJuggler users never enter their long term credential on the
untrusted terminal. Instead, users log in to a web site using a
smartphone app and then transfer the entire session, including cookies
and all other session state, to the untrusted terminal. We show that
SessionJuggler works on all the Alexa top 100 sites (except three
because the Android browser is not able to render them). We also show
that SessionJuggler works flawlessly with Facebook connect. Beyond
login, SessionJuggler also provides a secure logout mechanism where
the trusted phone is used to kill the session. To validate the
session juggling concept we conducted a number of web site surveys
that are of independent interest. First, we survey how web sites bind
a session token to a specific device and show that most use fairly
basic techniques that are easily defeated. Second, we survey how web
sites handle logout and show that many popular sites surprisingly do
not properly handle logout requests.
Reference:
In Proceedings of the 21st International World Wide Web conference (WWW), 2012, ACM Press, pp. 321-330.
Full paper: pdf [first posted 7/2012 ]