Existing Web browsers handle security errors in a manner that often confuses users. In particular, when a user visits a secure site whose certificate the browser cannot verify, the browser typically allows the user to view and install the certificate and connect to the site despite the verification failure. However, few users understand the risk of man-in-the-middle attacks and the principles behind certificate-based authentication. We propose context-sensitive certificate verification (CSCV), whereby the browser interrogates the user about the context in which a certificate verification error occurs. Considering the context, the browser then guides the user in handling and possibly overcoming the security error. We also propose specific password warnings (SPW) when users are about to send passwords in a form vulnerable to eavesdropping. We performed user studies to evaluate CSCV and SPW. Our results suggest that CSCV and SPW can greatly improve Web browsing security and are easy to use even without training. Moreover, CSCV had greater impact than did staged security training.

We introduce virtual prepaid tokens (VPTs), a novel billing scheme that allows users to obtain access at Wi-Fi hotspots without having an account with a hotspot provider or a physical prepaid token (PPT). Upon arrival at a hotspot, a user buys a VPT online, using a third-party payment server with which the user already has an account. Experiments show that users can buy a VPT and gain full Internet connectivity in less than 15 seconds, i.e. much less time than it would take to create another account or to buy and activate a PPT. VPTs can be used in hotspots that use a captive portal or 802.1x for user authentication. The latter alternative enables better security. We also contribute a novel technique that allows a single access point to authenticate users by either method. Hotspots can use this solution for migrating to 802.1x without disrupting legacy captive-portal users. Experiments demonstrate that the proposed technique has little overhead and interoperates broadly. 1.

Abstract—It is well-known that in wireless local area networks, authenticating nodes by their MAC addresses is not secure since it is very easy for an attacker to learn one of the authorized addresses and change his MAC address accordingly. In this paper, in order to prevent MAC address spoofing attacks, we propose to use dynamically changing MAC addresses and make each address usable for only one session. The scheme we propose does not require any change in 802.11 protocols and incurs only a small performance overhead. One of the nice features of our new scheme is that no third party can link different communication sessions of the same user by monitoring MAC addresses therefore our scheme is preferable also with respect to user privacy. Keywords—Authentication, MAC address spoofing, security, wireless networks.

Abstract:- Wireless Local Area Networks (WLAN) provide connectivity along with flexibility at low cost. Appreciating the exponential growth in this area, the Institute of Electrical and Electronics Engineers (IEEE) ratified IEEE standard 802.11 in 1999 which was widely accepted as the defacto industry standard for interconnection of portable devices. Due to the scarcity of battery power in portable devices operating in WLANs, IEEE 802.11 directly addressed the issue of Power Saving (PS) and defined a whole mechanism to allow stations (STA) to go into sleep mode without losing information, as Access Point (AP) keeps buffering the messages directed to the sleeping STA. Growing use of IEEE 802.11 lead to the identification of flaws in security specifications of the standard known as Wired Equivalent Privacy (WEP). These flaws were addressed by the introduction of amendments/enhancements. However, IEEE‟s security enhancements failed to achieve desired objectives especially availability, which is the main concern of any network administrator. Identity theft due to unauthenticated management and control frames left a window open for hackers to launch successful Denial of Service (DoS) attacks. The PS functions of 802.11 present several identity based vulnerabilities, exploiting which, an attacker can spoof a polling message on behalf of STA and cause AP to discard buffered packets of the client while it is asleep. As a result, an attacker can block victim STA from receiving frames from AP, thus launching a successful DoS attack. The mechanism proposed in [1] addresses