PassSec+ - An add-on that protects your passwords, payment data and privacy
Entering sensitive information such as passwords and payment data is part of the everyday life of Internet users. When entering such information, first, it is important that the connection to the website itself is secured (via HTTPS) and, second, that the data transfer after entering the sensitive data is secured (via HTTPS). It is also important to check that you are connected to the correct web server and that the sensitive information is transferred to the correct web server (usually the same webserver).
PassSec+ helps you to better protect your passwords, payment data and other sensitive data. The information relevant to you is displayed in a way that makes it easy to interpret and offers understandable recommendations for appropriate actions. PassSec+ currently exists as a browser extension for both Mozilla Firefox and Google Chrome.
Currently, PassSec+ is being researched within the InUse project funded by the German Federal Ministry of Justice and Consumer Protection and the German Federal Agency for Agriculture and Food .. A first version of the browser extension was developed as part of the
If you have checked the highlighted area of the URL - the domain (also called who area) - (e.g., kit-shop.de and not kít-shop.de) then you can confirm this by clicking on the ‘I have checked the information button.
Thereafter, the frame is displayed in blue. This means that entering your data here is classified as a low risk since you have already specified that you know the website.
If the input field is displayed in green, then the domain of the accessed website has already been classified as low risk for you by the developers. This list was composed from the Alexa Top 100 websites, as well as websites of German banks, which have an Extended Validation certificate.
If the PassSec+ browser extension detects that there is a high risk of entering sensitive data on a web page, then the browser extension provides the corresponding input fields with a red background and a warning icon. PassSec+ distinguishes between insecure access to the web page (without HTTPS), a transfer to a different website and an insecure transfer of the sensitive data (without HTTPS) when submitting the form.
- If the website transfers sensitive data to a different website than the one accessed, you are given the opportunity to check the recipient domain of the data beforehand. If this connection between websites is insecure (without HTTPS), you will be informed of this and can decide whether you still want to enter the sensitive data.
- If the website you visited is accessed insecurely and a secure connection (HTTPS) is available, you will be offered to switch to it using the ‘Switch to https’ option. The next time this website is accessed, it will automatically switch to the secure connection (HTTPS).
In the dialog shown here, an exception is added for accessing the management interface (http://fritz.box/) of the Internet router (here: Fritzbox) via an insecure connection. After adding this exception, no dialog appears anymore and there is no longer any input delay when logging in via http://fritz.box/, but the input field is still displayed with a red background.
Settings: If you want PassSec+ to secure additional input fields other then password and payment information fields, then you can select this under the advanced options in the PassSec+ settings:
For security reasons, PassSec+ will randomly select one of the following security icons for you, which will then appear in the appropriate color (gray, blue or green) next to the input field:
The selected security icon, known only to you and PassSec+, is intended to ensure that the classification of PassSec+, for example as secure, cannot be imitated (i.e., can be faked) by accessed malicious web pages. To fake the symbol, the web page would need to know the currently selected symbol.
If you do not see the selected security icon, you should be careful when entering sensitive data. In this case, PassSec+ could not detect the input field and thus could not check the security of entering the data.
You can always change the pre-selected icon in the settings. If a grey, blue or green framed input field with a different icon appears on a web page, you should never enter sensitive data such as passwords and payment details here.
- You can download PassSec+ for Chrome here For Firefox, please use this link.
- If you are interested in the source code of this add-on, you can find it at GitHub.
Besides of the InUse-team a number of students from the TU Darmstadt were involved: Kristoffer Braun, Kevin Kelpen, Joshua Ruf, Richard Stein, Hubert Strauß, Gildas Nya Tchabe und Simon Weiler. Johannes Wagener and Bettina Ballin have reworked the add-on for the new Firefox version. The regular expressions have been partly taken from the source code of Google Chromium. We would like to acknowledge Karen Renaud for helping us with the English version.
- Design and Field Evaluation of PassSec: Raising and Sustaining Web Surfer Risk Awareness: Melanie Volkamer, Karen Renaud, Kristoffer Braun, Gamze Canova, Benjamin Reinheimer. In: International Conference on Trust and Trustworthy Computing (TRUST), Springer, p. 104-121, August 2015
- Capturing Attention for Warnings about Insecure Password Fields - Systematic Development of a Passive Security Intervention: Nina Kolb, Steffen Bartsch, Melanie Volkamer, Joachim Vogt. In: 16th International Conference on Human-Computer Interaction (HCII 2014),Springer, June 2014