PassSec+ - An add-on that protects your passwords, payment data and privacy

Entering sensitive information such as passwords and payment data is part of the everyday life of Internet users. When entering such information, first, it is important that the connection to the website itself is secured (via HTTPS) and, second, that the data transfer after entering the sensitive data is secured (via HTTPS). It is also important to check that you are connected to the correct web server and that the sensitive information is transferred to the correct web server (usually the same webserver).

PassSec+ helps you to better protect your passwords, payment data and other sensitive data. The information relevant to you is displayed in a way that makes it easy to interpret and offers understandable recommendations for appropriate actions. PassSec+ currently exists as a browser extension for both Mozilla Firefox and Google Chrome.

Currently, PassSec+ is being researched within the Helmholtz-Topics Engineering Secure Systems. A first version of the browser extension was developed as part of the InUse project funded by the German Federal Ministry of Justice and Consumer Protection and the German Federal Agency for Agriculture and Food .

Functionality

If PassSec+ detects that there are input fields on a web page, but the web page has been transferred from the server over a secure connection and you have not yet classified it as secure, then the frame is displayed in gray. In this case the risk is unknown.

If you click in the input field, then you will see the URL (also called web address) from which the web page was loaded.

If you have checked the highlighted area of the URL - the domain (also called who area) - (e.g., kit-shop.de and not kít-shop.de) then you can confirm this by clicking on the ‘I have checked the information button.
Thereafter, the frame is displayed in blue. This means that entering your data here is classified as a low risk since you have already specified that you know the website.

If the input field is displayed in green, then the domain of the accessed website has already been classified as low risk for you by the developers. This list was composed from the Alexa Top 100 websites, as well as websites of German banks, which have an Extended Validation certificate.

Note: You can disable the default list of developers that contains the trusted websites in the settings if you do not want to use this feature.

If the PassSec+ browser extension detects that there is a high risk of entering sensitive data on a web page, then the browser extension provides the corresponding input fields with a red background and a warning icon. PassSec+ distinguishes between insecure access to the web page (without HTTPS), a transfer to a different website and an insecure transfer of the sensitive data (without HTTPS) when submitting the form.

If you click in the red highlighted input field, then a dialog appears. Here the issue and possible consequences are explained. In addition, options for action are shown:

• If the website transfers sensitive data to a different website than the one accessed, you are given the opportunity to check the recipient domain of the data beforehand. If this connection between websites is insecure (without HTTPS), you will be informed of this and can decide whether you still want to enter the sensitive data.
• If the website you visited is accessed insecurely and a secure connection (HTTPS) is available, you will be offered to switch to it using the ‘Switch to https’ option. The next time this website is accessed, it will automatically switch to the secure connection (HTTPS).

If a secure connection is not available for the website you are visiting, you will be notified of this fact.

If you select the NOT recommended option 'Add an exception', a short dialog appears. Hereby, an exception for the combination of the domain of the accessed website, the domain to which the data is sent (usually the same domain) as well as its transmission type, i.e., whether secured (HTTPS) or unsecured (HTTP) is stored. However, you must first confirm this in a dialog with "Yes, I know what I am doing".

In the dialog shown here, an exception is added for accessing the management interface (http://fritz.box/) of the Internet router (here: Fritzbox) via an insecure connection. After adding this exception, no dialog appears anymore and there is no longer any input delay when logging in via http://fritz.box/, but the input field is still displayed with a red background.

Settings: If you want PassSec+ to secure additional input fields other then password and payment information fields, then you can select this under the advanced options in the PassSec+ settings:

For security reasons, PassSec+ will randomly select one of the following security icons for you, which will then appear in the appropriate color (gray, blue or green) next to the input field:    

The selected security icon, known only to you and PassSec+, is intended to ensure that the classification of PassSec+, for example as secure, cannot be imitated (i.e., can be faked) by accessed malicious web pages. To fake the symbol, the web page would need to know the currently selected symbol.

If you do not see the selected security icon, you should be careful when entering sensitive data. In this case, PassSec+ could not detect the input field and thus could not check the security of entering the data.

You can always change the pre-selected icon in the settings. If a grey, blue or green framed input field with a different icon appears on a web page, you should never enter sensitive data such as passwords and payment details here.

Download

• You can download PassSec+ for Chrome here For Firefox, please use this link.
• If you are interested in the source code of this add-on, you can find it at GitHub.

Besides of the InUse-team a number of students from the TU Darmstadt were involved:  Kristoffer Braun, Kevin Kelpen, Joshua Ruf, Richard Stein, Hubert Strauß, Gildas Nya Tchabe und Simon Weiler. Johannes Wagener and Bettina Ballin have reworked the add-on for the new Firefox version. The regular expressions have been partly taken from the source code of Google Chromium.  We would like to acknowledge Karen Renaud for helping us with the English version.

Publications

• Design and Field Evaluation of PassSec: Raising and Sustaining Web Surfer Risk Awareness: Melanie Volkamer, Karen Renaud, Kristoffer Braun, Gamze Canova, Benjamin Reinheimer. In: International Conference on Trust and Trustworthy Computing (TRUST), Springer, p. 104-121, August 2015
• Capturing Attention for Warnings about Insecure Password Fields - Systematic Development of a Passive Security Intervention: Nina Kolb, Steffen Bartsch, Melanie Volkamer, Joachim Vogt. In: 16th International Conference on Human-Computer Interaction (HCII 2014),Springer, June 2014 

Press Review

Backpackers Guide, Polizei Hessen, Süddeutsche Zeitung, C'T Zeitschrift, Darmstädter Echo, Technische Universität Darmstadt, Linuxmintusers, XING, Gesellschaft für Informatik, Krone.at