Measuring and predicting web login safety.

Users increasingly entrust websites with their personal and sensitive information. Sites commonly protect this information using user-supplied credentials (i.e., logins). We conducted a measurement study of top websites and surprisingly found that they transmit these credentials in the clear, thus leaving them vulnerable to eavesdropping. To make matters worse, users are often unaware of this threat because sites and browsers reflect little information about how logins are handled. As a first step towards solving this problem, we develop techniques for measuring logins on browsers to predict how logins would be handled before they are submitted. We demonstrate that achieving this goal requires instrumentation at the application layer and inside browsers. Specifically, network traces are not sufficient for determining login safety in general due to application-layer encryption; similarly, application-layer traces are insufficient because login submission logic may be generated in the browser at runtime. Based on a measurement study using login pages gathered from popular sites in addition to those visited by users through normal Web browsing, we found such predictions to be quite challenging due to a lack of any standard formats for Web logins. However, by applying a carefully chosen set of rules when measuring logins, we almost always correctly predict how logins will be handled.