TrustBar – Usage Guide and Screen Shots
Version of Monday, September 19, 2005
To download and install the latest TrustBar release (currently: 0.4.9.92), follow the following simple steps:
You must use either the FireFox browser,
2) Click on the following link to save the latest TrustBar release (using FireFox on Windows, files are saved by default on the desktop)
3) If you have a prior version of TrustBar, please uninstall it.
4) Open the saved file from FireFox, by the File->Open file menu command, selecting the downloaded file.
5) A dialog opens, with a warning, saying that the extension is not signed…. Thawte kindly gave us a code signing certificate but are still trying to get FireFox's signing software to accept it – so currently, TrustBar is indeed not signed. To complete installation, click `Install Now`.
6) Finally, close and re-open FireFox… and you are done – TrustBar installed!!
7) TrustBar will now display, once only, a registration window, with few questions. Please, fill in the questions honestly, and at the bottom, leave `I accept to send statistics` checked (Ok, we'll fix the poor language…). The statistics are essential to our research, to improve TrustBar and evaluate secure user interface principles. We do not keep any identifying information on you or the sites you visit.
8) You can always change the details and choices in the registration window, by clicking on the Hey! button of TrustBar, selecting `Options` and then clicking on `User Details`.
9) After you installed TrustBar, it may initially reside on a new toolbar. Many users prefer to move TrustBar to another, existing toolbar, where they have appropriate space. You can do this by View->Toolbars->customize, and move the TrustBar elements (widgets) to other bars. An empty toolbar may remove even after you moved all elements out of it; to avoid this, use View->Toolbars->TrustBar.
If you find TrustBar annoying or just not helpful, you can easily remove it as follows. We will also appreciate your feedback, so we can try to improve TrustBar. To uninstall, use FireFox menu command Tools -> Extensions; you will see a list of extensions installed on your browser. Select TrustBar and click the `uninstall' button. Now, close and open FireFox… and you are done – TrustBar removed!
When you use the web, your browser sends requests to web servers based on the domain name of the server, e.g. ebay.com. Browsers usually display the domain name, we part of the `address` or `location` of the page, e.g. the Chase homepage address of http://www.chase.com/ (see screen shot). Attackers can easily own any unallocated domain name – often confusingly similar to the `correct' domain names, e.g. chasebank.com. Attackers have essentially complete control over the content of the page, so it may display the name and logo of say Chase – without Chase's authorization. Attackers can also select any prefix to the domain name, e.g. if attacker owns bkup1.com, then he can use e.g. chase.bkup1.com. Such sites, that try to appear as belonging to some organization or company without authorization, are called spoofed sites.
TrustBar can help you identify a spoofed version of your sensitive sites, e.g. your online banking sites, by allowing you to assign a name and/or logo for each of these sites. This is easy; when you are in a page you want to identify, e.g. your e-banking login page. To assign a name, you simply type over the TrustBar textbook with a name you assign to the site. See screen shot; notice that TrustBar uses a magenta background to the assigned name, to make it easier to identify them.
Notice that initially, the TrustBar textbox displays `Enter site name here` (see screen shot). After you assign names to few sites, TrustBar will start displaying the domain name in the textbox by default, making it a bit easier to identify the domain of sites. You can still type a specific name for the page over it, of course. See screen shots; notice
Assigning a logo is just as easy, provided that an appropriate logo-image exists on the page (which usually holds). All you have to do is to move the mouse so it is over the image, and then click on right-mouse button. A menu opens, you select `Save as site logo`, and that's it – TrustBar will now display the logo for the site; see screen shot. An attacker may be able to display Chase's logo in a spoofed site, but if it belongs to a different domain (not to chase.com} then the attacker cannot trick TrustBar into displaying the name or logo that the user assigned to Chase.
Is this sufficient for security? That depends on the capabilities of the attacker. Most web pages use the http protocol (this is indicated by the prefix http, as in http://chase.com). In these pages, the content of the page as well as the data from the user (including passwords), are sent `in the clear' – like a postcard, in a sense. If someone has access to this page in transit – e.g., a system administrator in any ISP along the route – then they can read it and even modify it. TrustBar can identify that you used the right address (chase.com), but that will not prevent such `powerful' attackers, sometimes called Man In The Middle Attackers, from presenting a spoofed site.
To protect against strong, Man In The Middle attackers, most sensitive login pages use the cryptographic https protocol rather than the unprotected http. Some offer both, e.g. Wachovia bank offers has unprotected login http://www.wachovia.com, and protected login https://www.wachovia.com. Protected logins offer substantial better security, provided you detect they are real and not fake. In fact, very few spoofed site attacks, so far, used protected web pages; so it is very important you identify, and prefer, protected versions of your sensitive (e.g. login) pages. In fact, we are now working on a new feature of TrustBar, that will allow you to automatically use protected versions of login pages, in the (common) case where such are known. Browsers display a small padlock in the status area (very bottom of window) for protected pages; TrustBar provides a more visible padlock for protected sites, and also a visible, `no padlock` image for unprotected pages (see screenshots above).
Another benefit of protected pages (beginning with https), is that these sites were identified. Browsers maintain long lists of companies that may identify sites, and you may not know all – or even most – of them. When a site is protected, TrustBar displays, by default, the name by which it was identified; of course the user can overtype to assign a different name (e.g. My broker), or use right-click over an image in the page to set it as the site's logo, as in the figure. TrustBar also displays the name or logo of the company or organization responsible for this identification, allowing you to determine if you trust the identification, and to notice when a site suddenly appears as identified by a different entity – this is suspicious. For example, in the figure to the right we see the eTrade.com site, identified by VeriSign, which is the largest provider of web-site identification services (the technical term is a certificate authority).
Yes. You can, and should, use TrustBar to assign your own name/logo to these sites. This will allow you to detect when an attack leads you to a site which looks alike your login page, but has a different location (URL). This already protects you from the most common attacks. However, admittedly, this step alone does not protect you from stronger, Man In The Middle (MITM) attackers, who can change the web page you receive.
Furthermore, as of version 0.4.9.93, TrustBar includes two additional defenses for users of unprotected web pages, even against a MITM attacker:
1. TrustBar will automatically download from our own server, periodically, a list of all of the unprotected login sites, including any alternate protected login pages we are aware of. By default, whenever a user accesses one of these unprotected pages, she will be automatically redirected to the alternate, protected login page.
2. TrustBar computes a hash of every unprotected site for which the user has assigned name/logo. TrustBar compares this hash on subsequent accesses to the same site. If the site is not modified in five subsequent accesses, TrustBar begins displaying `Same since <date>`; and when the site changes, TrustBar displays a warning. This can help users notice a fake version of their login page. Unfortunately, this mechanism does not work very well on most real-life login pages, since most of them contain a tiny bit of frequently-changing data such as date or `random` identifiers (mostly to identify a cookie-less client, we think). We are working on improving the mechanism so it will be tolerant to such tiny changes, without exposing the user to malicious changes.
As of version 0.4, TrustBar includes the `Hey!` button which you should click if you suspect a page – e.g., a protected login page suddenly appears unprotected, or a site to which you assigned a name or logo appears with domain name instead. Most attacks appear like that… When you click Hey!, you usually can select whether this is a report on fraud site or `just` a report on an unprotected login page (which is also helpful – we may inform the site, warn users, and often find a replacement protected page for the same company).
However, sometimes you may hit `Hey!` to report a fake site…. And receive back a `Hey, good!` pop-up window, congratulating you on detecting a training, emulated attack (see screen shot). Do not worry. Some early usability studies have shown that users may not remember to validate the protection status and/or the name/logo of the site in TrustBar, in which case, a spoofed site may still be able to escape detection. So we figured, maybe we can help users train to detect fake sites, by presenting the real sites – with indicators appearing as if these are fake sites! We only do this for sites for which you have assigned a name or logo (so you probably care about their authenticity). You can control the frequency of training attacks, or disable them, from the Hey!->options menu.
Many users of initial version of TrustBar were concerned about the amount of screen space dedicated to it. We really tried to improve, in particular by allowing TrustBar elements to be moved to other bars, which is what I personally use (see screen shots above, and the last instruction under `installation`).
TrustBar also allows you to reduce the size of some of its display elements. For example, you can remove the literal string `Identified by`, once you are well aware of the role of the company whose name or logo appears after `identified by`. See the pull-down menu at the right-hand end of TrustBar, and select Options…-> Display.