PassSec+ - An add-on that protects your passwords, payment data and privacy
Entering sensitive information, such as passwords and payment data is part of everyday life for all Internet users. When entering such information, first of all it is important that data transmission is secured using HTTPS. Second it is important to be connected to the authentic web service. PassSec+ supports you in protecting your passwords, bank details and other sensitive data. It displays the relevant information where and when needed while the instructions aim to be as understandable as possible. The add-on is availabel for Firefox and Goolge Chrome.
It was developed in the context of the InUse project which was funded by the Federal Ministry of Justice and Consumer Protection and the Bundesanstalt Food and Agriculture.
Unfortunately, the Add-On is currently only available with limited functionality as Firefox changed the API. It is currently not possible to distinguish between extended validation certificates and ‘normal’ ones. If you are interested in helping fixing the problems let us know.
If PassSec+ detects that there are input fields on a web page and the information will indeed be transmitted via a secure connection, the frame will be displayed in orange
If you activate an input field, the domain (e.g. google.com) of the server from which the website is loaded will be displayed next to the field.
After you have checked the domain, confirm this by clicking the button: “I have checked the destination“. Afterwards the frame will be displayed in green.
If the PassSec+ Add-On detects that a website asks for sensitive data and the data transmission is not secured (HTTPS), the add-on provides a red background and a warning icon.
If you activate the red input field to enter your password or payment information, a warning will appear. The problem, and possible consequences, are detailed. In addition, alternative courses of action are suggested. This depends on whether the website can be accessed via a secure connection (HTTPS) or not. If a secure connection is available, the option ‘Safe Mode' will be provided as shown in the following figures.
If you select the recommended "Safe Mode" option, a short dialog appears. There you can see the domain of the server from which the web page is being loaded.
If you have checked the displayed domain, confirm this by clicking the Okay button. The frame will subsequently be displayed in green.
If the website does not offer an alternative secure option, we recommend that you use a different password for this website or preferably a different service. Payment data should never be transmitted unsecured.
If you select the ill-advised “add exception” option, a short dialog appears. You will see a reminder of the domain (e.g. amazon.de) of the server. Check the domain before entering sensitive data.
PassSec+ automatically checks every website that transmits information insecurely. A search engine (currently either Startpage or Google) checks whether the website address is among the first hits returned by the search engine. If the request is corrected by the search engine (e.g. to microsoft.de). a warning dialog will be displayed containing supporting information. You should dismiss the current page and not enter any sensitive or personal data because this is likely to be a Phish website.
Settings: If you want the add-on to examine more fields in terms of a secure connection, then you change thisbehavior in the settings and among the advanced options.
For security reasons, PassSec+ randomly chooses one of the following symbols for you:
You can change the pre-selected icon at any time via the settings. If you visit a website and there is a green frame with a different symbol from the one assigned to you, you should not enter sensitive information such as passwords and payment data under any circumstances.
The FAQs (frequently asked questions) can be found here.
- You can download PassSec+ for Chrome here For Firefox, please use this link.
- If you are interested in the source code of this add-on, you can find it at GitHub.
Besides of the InUse-team a number of students from the TU Darmstadt were involved: Kristoffer Braun, Kevin Kelpen, Joshua Ruf, Richard Stein, Hubert Strauß, Gildas Nya Tchabe und Simon Weiler. Johannes Wagener and Bettina Ballin have reworked the add-on for the new Firefox version. The regular expressions have been partly taken from the source code of Google Chromium. We would like to acknowledge Karen Renaud for helping us with the English version.
- Design and Field Evaluation of PassSec: Raising and Sustaining Web Surfer Risk Awareness: Melanie Volkamer, Karen Renaud, Kristoffer Braun, Gamze Canova, Benjamin Reinheimer. In: International Conference on Trust and Trustworthy Computing (TRUST), Springer, p. 104-121, August 2015
- Capturing Attention for Warnings about Insecure Password Fields - Systematic Development of a Passive Security Intervention: Nina Kolb, Steffen Bartsch, Melanie Volkamer, Joachim Vogt. In: 16th International Conference on Human-Computer Interaction (HCII 2014),Springer, June 2014