Web browser privacy and security

Web browser privacy and security (I) March 21 st , 2006 Ricardo Villamarin-Salomon

Outline

Web Browser In security

Informed Consent by Design

Hardening Web Browsers Against Man in the Middle and Eavesdropping Attacks

Participation

Web Browser Insecurity

Targeted attacks on Web applications and Web browsers are increasingly becoming the focal point for cyber criminals.

Traditional attack activity : motivated by curiosity and a desire to show off technical virtuosity

Current threats are motivated by profit: identity theft, extortion, and fraud, for financial gain.

Source : secunia.com Date: 2006-March-19 Original Idea : ZDNet.com Revision & Update (March 2006) : me Worry-free web?

Web Browser vulnerabilities, vendor confirmed Source: Symantec Internet Security Threat Report (Vol. IX)

Web Browser vulnerabilities, confirmed & non-confirmed by vendor Source: Symantec Internet Security Threat Report (Vol. IX)

Some Common Vulnerabilities (CERT)

ActiveX Controls

Java applets (bypassing of sandbox’s restrictions)

Cross-Site Scripting (mainly faults of web sites)

e.g, http://host.com/modules.php?op=modload&name=XForum&file= [hostilejavascript] &fid=2

Cross-Zone and Cross-Domain Vulnerabilities

Prevention of a web site from accessing data in a different domain (or zone) is broken

Malicious Scripting, Active Content, and HTML

Spoofing As it relates to web browsers, spoofing is a term used to describe methods of faking various parts of the browser user interface.

Informed Consent for Information Systems Batya Friedman, Peyina Lin, and Jessica K. Miller

Value Sensitive Design

Design of Information and Computer Systems that accounts for human values

Value Sensitive Design is an interactional theory

In general, we don’t view values as inherent in a given technology

However, we also don’t view a technology as value-neutral

Rather, some technologies are more suitable than others for supporting given values

Key task of VSD: Investigate these “value suitabilities” (along with what values and whose values)

VSD’s Tripartite Methodology

Conceptual investigations

Philosophically informed analyses of the values and value conflicts involved in the system

Technical investigations

Identify existing or develop new technical mechanisms; investigate their suitability to support or not support the values we wish to further

Empirical investigations

Using techniques from the social sciences, investigate issues such as: Who are the stakeholders? Which values are important to them? How do they prioritize these values?

These are applied iteratively and integratively

Direct and Indirect Stakeholders

Direct stakeholders: Interact with the system being designed and its outputs

Indirect stakeholders: Don’t interact directly with the system, but are affected by it in significant ways

Model of Informed Consent for Information Systems

Disclosure

Comprehension

Voluntariness

Competence

Agreement

Minimal Distraction

NS 3.04 Cookie Warning Dialog Box

NS 4.03 Cookie Settings

IE 4.0 Cookie Warning Dialog Box

IE 5.0 Custom Cookie Settings

The Unique Role of the Web Browser

Browser software mediates communication between a client (typically an end user) and a server

After a remote site has exercised a capability, the Web browser software has no control over what the remote site does with the information or other actions that the site may take.

With respect to Information Consent

Disclosure:

Whether the user is notified about a server request

Harms / Benefits?

Comprehension: (to a large extent)

Controls the content of the notification (if any)

Agreement:

User’s opportunity to agree/decline to place a cookie (prompting)

Ongoing : how to withdraw from agreement (obscure locations)?

With respect to Information Consent

Minimal distraction

IE: acceptance/declination of third party cookies by the user (one by one)

Voluntariness?

Browser or Website?

Competence (cookies)?

Browser or Website?

Design Goals

Enhance users’ local understanding of cookie events as the events occur with minimal distraction to the user

Preset agreement policy that applies to all cookies of a specified type

Minimizes user distraction at the expense of rote decision-making, disclosure and comprehension

Explicitly accept or decline each cookie one at a time

Supports the criterion of disclosure but at the expense of extreme distraction

Middle ground?

Design Goals

Enhance users’ global understanding of the common uses of cookie technology

Including potential benefits and risks associated with those uses

A necessary piece of disclosure and comprehension

Design Goals

Enhance users’ ability to manage cookies

Particularly with respect to the easy viewing of cookie information and on-going control over the lifetime and removal of cookies.

Agreement is ongoing: the user had no easy means (1999 browser technology) to remove the previously set cookies and thereby revoke consent

Achieve design goals 1, 2 and 3 while minimizing distraction for the user

Renamed to “Cookie-Panel”

https://addons.mozilla.org/extensions/moreinfo.php?id=1375

Informing through interaction Design

Secure Connections

Secure Connections: Different Evidences For a suspicious (!) site, the Address bar turns yellow and displays a warning label but still allows data entry

… we turn the entire address bar a bright shade of yellow at secure sites

It's impossible to miss;

the connection with the page “ is clear ” because it highlights the page address;

and it's “ obvious ” what it means because it's punctuated by a large lock

- Blake Ross ..

Firefox IE 7 Beta

Secure Connections: Your opinion? Fits in the status bar (IE 6) No encryption Secure Connection (Certificate is OK) “ Secure” Connection (Problem with Certificate)

GMail: Questions related to Informed Consent

Machines reading personal content

… a privacy violation concerns the act of intrusion upon the self, independent of the state of mind (or knowledge) of the intruder - Edward Bloustein

Spam filters?

Indirect stakeholders

targeted advertisements should not be allowed without the consent of all parties involved in an email exchange. Gmail does not obtain the consent of the email sender. How?

Automatic reply: once (the first time) and for all make the sender agree with Gmail TOS (something similar to mailblocks.com for verifying that an email was sent by a human)

Hardening Web Browsers Against Man in the Middle and Eavesdropping Attacks Haidong Xia and Jose Carlos Brustoloni

Usability of Web Browser security

Man-In-The-Middle (MITM) attacks

Eavesdropping attacks

Several tools available

Man-In-The-Middle (MITM) attacks

The public keys of major CAs (e.g., Verisign) are embedded in many client applications (e.g.,Web browsers).

Common sources of Ct. verification failure

The browser may not know the public key of the CA that issued the server’s certificate

Internal web server (only by members of the organization)

Own CA: public key installed in browser (no verification errors)

Large number of users / User owned computer

Issuer’s or the server’s certificate may be expired

Server may have presented a certificate whose common name field does not match the server’s fully qualified domain name

Attacker can use his own identity with a CA generated certificate

Attacker may have stolen the Ct. (along with the private key)

Mismatches at subdomain level not very risky (unless a very sophisticated attack is mounted)

Allow user to proceed

Other cases more serious

Ch. 28

Context Sensitive Certificate Verification

Clarify the relationship between the user and the server’s (non verified) certificate

Not giving the user override mechanisms

Distribute signed certificates of the internal servers out of band

Take advantage of typically unused Ct’s fields:

CA’s contact information ( field: issuer alternative name )

CA administrator’s name, address, telephone and fax numbers, and work hours.

Context Sensitive Certificate Verification

Specific Passwords Warnings

Helps prevent eavesdropping

Allow overriding

Specific Passwords Warnings

User Studies

Computer literate users (CLU)

Evaluate:

Likelihood of successful attack in representative security-sensitive Web applications

Possibility of “foolproofing” web browsers, so they can be used securely even by untrained CLUs

Can education about the relevant security principles, attacks, and tools improve the security of how users browse the Web?

Note: This last hypothesis is not covered in this presentation

Study’s Design

17 participants (majors from Pitt’s CS department)

Two studies:

Unmodified browser (IE)

Modified Mozilla Firebird 0.6.1 with CSCV and SPW

No feedback given between these two studies

Study’s Design

Visit three fictional but realistic Web sites where students were assigned password protected accounts

The first site: maintained by the students’ university.

It allows students to monitor the respective reward points (earned by doing well in exams, independent studies, etc.)

HTTPS + Certificate issued by internal CA

The second site: m. by a remote e-merchant not affiliated with U.

Students can spend their reward points, (e.g. to buy books, CDs, etc.)

HTTPS + bogus certificate

The third site provides access to users’ Web email accounts

HTTP only (no certificate)

Study’s Design 100 Choosing not to access to 2nd and 3rd site insecurely 100 Correctly obtained and installed the issuing CA’s certificate 50 Simply did not visit the site insecurely 0 Access to a site despite lack of security Score (points) User’s Action

Study’s Results