web browser privacy and security (i) march 21 st, 2006 ricardo villamarin-salomon

Web browser privacy Web browser privacy and security (I)and security (I)

March 21st, 2006

Ricardo Villamarin-SalomonRicardo Villamarin-Salomon

217-500

OutlineOutline

♦ Web Browser Insecurity

♦ Informed Consent by Design

♦ Hardening Web Browsers Against Man in the Middleand Eavesdropping Attacks

♦ Participation

317-500

Web Browser InsecurityWeb Browser Insecurity

♦ Targeted attacks on Web applications and Web browsers are increasingly becoming the focal point for cyber criminals.

Traditional attack activity : motivated by curiosity and a desire to show off technical virtuosity

Current threats are motivated by profit: identity theft, extortion, and fraud, for financial gain.

417-500

Source: secunia.com

Date: 2006-March-19

Original Idea: ZDNet.com

Revision & Update (March 2006): me

Worry-free web?

517-500

Web Browser vulnerabilities, vendor confirmedWeb Browser vulnerabilities, vendor confirmed

Source: Symantec Internet Security Threat Report (Vol. IX)

617-500

Web Browser vulnerabilities, Web Browser vulnerabilities, confirmed & non-confirmed by vendorconfirmed & non-confirmed by vendor

Source: Symantec Internet Security Threat Report (Vol. IX)

717-500

Some Common Vulnerabilities (CERT)Some Common Vulnerabilities (CERT)

♦ ActiveX Controls♦ Java applets (bypassing of sandbox’s restrictions)♦ Cross-Site Scripting (mainly faults of web sites)

e.g, http://host.com/modules.php?op=modload&name=XForum&file=[hostilejavascript]&fid=2

♦ Cross-Zone and Cross-Domain Vulnerabilities Prevention of a web site from accessing data in a different

domain (or zone) is broken♦ Malicious Scripting, Active Content, and HTML♦ Spoofing

As it relates to web browsers, spoofing is a term used to describe methods of faking various parts of the browser user interface.

Informed Consent for Informed Consent for Information SystemsInformation Systems

Batya Friedman, Peyina Lin, and Jessica K. Batya Friedman, Peyina Lin, and Jessica K. Miller Miller

917-500

Value Sensitive DesignValue Sensitive Design

♦ Design of Information and Computer Systems that accounts for human values

♦ Value Sensitive Design is an interactional theory In general, we don’t view values as inherent in a given

technology

However, we also don’t view a technology as value-neutral

Rather, some technologies are more suitable than others for supporting given values

♦ Key task of VSD: Investigate these “value suitabilities” (along with what values and whose values)

© Batya Friedman 2003

1017-500

VSD’s Tripartite MethodologyVSD’s Tripartite Methodology

♦ Conceptual investigations Philosophically informed analyses of the values and value

conflicts involved in the system

♦ Technical investigations Identify existing or develop new technical mechanisms;

investigate their suitability to support or not support the values we wish to further

♦ Empirical investigations Using techniques from the social sciences, investigate issues

such as: Who are the stakeholders? Which values are important to them? How do they prioritize these values?

♦ These are applied iteratively and integratively


1117-500

Direct and Indirect StakeholdersDirect and Indirect Stakeholders

♦ Direct stakeholders: Interact with the system being designed and its outputs

♦ Indirect stakeholders: Don’t interact directly with the system, but are affected by it in significant ways


1217-500

Model of Informed Consent Model of Informed Consent for Information for Information Systems Systems

1. Disclosure

2. Comprehension

3. Voluntariness

4. Competence

5. Agreement

6. Minimal Distraction

1317-500

NS 3.04 Cookie Warning Dialog BoxNS 3.04 Cookie Warning Dialog Box

1417-500

NS 4.03 Cookie SettingsNS 4.03 Cookie Settings

1517-500

IE 4.0 Cookie Warning Dialog Box

1617-500

IE 5.0 Custom Cookie Settings

1717-500

The Unique Role of the Web BrowserThe Unique Role of the Web Browser

♦ Browser software mediates communication between a client (typically an end user) and a server

♦ After a remote site has exercised a capability, the Web browser software has no control over what the remote site does with the information or other actions that the site may take.

1817-500


♦ With respect to Information Consent

Disclosure: Whether the user is notified about a server request Harms / Benefits?

Comprehension: (to a large extent) Controls the content of the notification (if any)

Agreement: User’s opportunity to agree/decline to place a cookie

(prompting) Ongoing : how to withdraw from agreement (obscure

locations)?

1917-500


♦ With respect to Information Consent

Minimal distraction IE: acceptance/declination of third party cookies by the

user (one by one)

Voluntariness? Browser or Website?

Competence (cookies)? Browser or Website?

2017-500

Design GoalsDesign Goals

1. Enhance users’ local understanding of cookie events as the events occur with minimal distraction to the user

Preset agreement policy that applies to all cookies of a specified type

Minimizes user distraction at the expense of rote decision-making, disclosure and comprehension

Explicitly accept or decline each cookie one at a time

Supports the criterion of disclosure but at the expense of extreme distraction

Middle ground?

2117-500


2. Enhance users’ global understanding of the common uses of cookie technology

Including potential benefits and risks associated with those uses

A necessary piece of disclosure and comprehension

2217-500


3. Enhance users’ ability to manage cookies

Particularly with respect to the easy viewing of cookie information and on-going control over the lifetime and removal of cookies.

Agreement is ongoing: the user had no easy means (1999 browser technology) to remove the previously set cookies and thereby revoke consent

4. Achieve design goals 1, 2 and 3 while minimizing distraction for the user

2317-500 © Batya Friedman 2003

2817-500

2917-500

3017-500

Renamed to “Cookie-Panel”Renamed to “Cookie-Panel”

♦ https://addons.mozilla.org/extensions/moreinfo.php?id=1375

3117-500

♦ Informing through interaction Design

Secure ConnectionsSecure Connections

3217-500

Secure Connections: Different EvidencesSecure Connections: Different Evidences

For a suspicious (!) site, the Address bar turns yellow and displays a warning label but still allows data entry

… we turn the entire address bar a bright shade of yellowyellow at secure sites1. It's impossible to miss; 2. the connection with the page “is clear” because it highlights the page address;3. and it's “obvious” what it means because it's punctuated by a large lock

- Blake Ross..

Firefox

IE 7 Beta

3317-500

Secure Connections: Your opinion?Secure Connections: Your opinion?

Fits in the status bar (IE 6)

No encryption

Secure Connection(Certificate is OK)

“Secure” Connection(Problem with Certificate)

3417-500

GMail: GMail: Questions related to Informed Consent Questions related to Informed Consent

♦ Machines reading personal content … a privacy violation concerns the act of intrusion upon the self,

independent of the state of mind (or knowledge) of the intruder - Edward Bloustein

Spam filters?

♦ Indirect stakeholders targeted advertisements should not be allowed without the

consent of all parties involved in an email exchange. Gmail does not obtain the consent of the email sender. How?

Automatic reply: once (the first time) and for all make the sender agree with Gmail TOS (something similar to mailblocks.com for verifying that an email was sent by a human)

Hardening Web Browsers Against Man in the Middleand Eavesdropping Attacks

Haidong Xia and Jose Carlos BrustoloniHaidong Xia and Jose Carlos Brustoloni

3617-500

Usability of Web Browser securityUsability of Web Browser security

♦ Man-In-The-Middle (MITM) attacks

♦ Eavesdropping attacks

♦ Several tools available

3717-500

Man-In-The-Middle (MITM) attacks Man-In-The-Middle (MITM) attacks

♦ The public keys of major CAs (e.g., Verisign) are embedded in many client applications (e.g.,Web browsers).

3817-500

Common sources of Ct. verification failureCommon sources of Ct. verification failure

1. The browser may not know the public key of the CA that issued the server’s certificate

Internal web server (only by members of the organization)

Own CA: public key installed in browser (no verification errors)

Large number of users / User owned computer

2. Issuer’s or the server’s certificate may be expired

3917-500


3. Server may have presented a certificate whose common name field does not match the server’s fully qualified domain name

♦ Attacker can use his own identity with a CA generated certificate

♦ Attacker may have stolen the Ct. (along with the private key)

♦ Mismatches at subdomain level not very risky (unless a very sophisticated attack is mounted)

♦ Allow user to proceed

♦ Other cases more serious

♦ Ch. 28

4017-500


4117-500


4217-500

Context Sensitive Certificate VerificationContext Sensitive Certificate Verification

♦ Clarify the relationship between the user and the server’s (non verified) certificate

Not giving the user override mechanisms

♦ Distribute signed certificates of the internal servers out of band

♦ Take advantage of typically unused Ct’s fields:

CA’s contact information (field: issuer alternative name)

CA administrator’s name, address, telephone and fax numbers, and work hours.

4317-500

Context Sensitive Certificate VerificationContext Sensitive Certificate Verification

4417-500

4517-500

4617-500

Specific Passwords WarningsSpecific Passwords Warnings

♦ Helps prevent eavesdropping♦ Allow overriding

4717-500


4817-500


4917-500

User StudiesUser Studies

♦ Computer literate users (CLU)

♦ Evaluate: Likelihood of successful attack in representative security-

sensitive Web applications

Possibility of “foolproofing” web browsers, so they can be used securely even by untrained CLUs

Can education about the relevant security principles, attacks, and tools improve the security of how users browse the Web?

Note: This last hypothesis is not covered in this presentation

5017-500

Study’s DesignStudy’s Design

♦ 17 participants (majors from Pitt’s CS department)

♦ Two studies:

Unmodified browser (IE)

Modified Mozilla Firebird 0.6.1 with CSCV and SPW

♦ No feedback given between these two studies

5117-500


♦ Visit three fictional but realistic Web sites where students were assigned password protected accounts

♦ The first site: maintained by the students’ university. It allows students to monitor the respective reward points

(earned by doing well in exams, independent studies, etc.) HTTPS + Certificate issued by internal CA

♦ The second site: m. by a remote e-merchant not affiliated with U. Students can spend their reward points, (e.g. to buy books, CDs,

etc.) HTTPS + bogus certificate

♦ The third site provides access to users’ Web email accounts HTTP only (no certificate)

5217-500


User’s Action Score (points)

Access to a site despite lack of security 0

Simply did not visit the site insecurely 50

Correctly obtained and installed the issuing CA’s certificate

100

Choosing not to access to 2nd and 3rd site insecurely

100

5317-500

Study’s ResultsStudy’s Results

♦ With current users and Web browsers, the mentioned attacks are alarmingly likely to succeed.

More often than not, users’ behavior defeats the existing Web security mechanisms.

♦ CSCV blocked MITM attacks against HTTPS-based applications completely.

♦ SPW greatly reduced the insecure transmission of passwords in an HTTP-based application

♦ Although untrained, users had little trouble using CSCV and SPW.

ParticipationParticipation

5517-500

Disagreements about Secure ConnectionsDisagreements about Secure Connections

♦ Propose some ideas for representing secure connections in web browsers

Thank you!Thank you!

web browser privacy and security (i) march 21 st, 2006 ricardo villamarin-salomon

Documents

web browser vulnerabilities

miller slide

web applications

worryfree web

outline web browser

web browser privacy

values batya friedman

design hardening web