Web browser privacy and security (I) March 21 st , 2006 Ricardo Villamarin-Salomon
Outline <ul><li>Web Browser  In security </li></ul><ul><li>Informed Consent by Design </li></ul><ul><li>Hardening Web Brow...
Web Browser Insecurity <ul><li>Targeted attacks on Web applications and Web browsers are increasingly becoming the focal p...
Source :  secunia.com Date:  2006-March-19 Original Idea : ZDNet.com Revision & Update (March 2006) : me Worry-free web?
Web Browser vulnerabilities, vendor confirmed Source: Symantec Internet Security Threat Report (Vol. IX)
Web Browser vulnerabilities,  confirmed & non-confirmed by vendor Source: Symantec Internet Security Threat Report (Vol. IX)
Some Common Vulnerabilities (CERT) <ul><li>ActiveX Controls </li></ul><ul><li>Java applets (bypassing of sandbox’s restric...
Informed Consent for Information Systems Batya Friedman, Peyina Lin, and Jessica K. Miller
Value Sensitive Design <ul><li>Design of Information and Computer Systems that accounts for human values </li></ul><ul><li...
VSD’s Tripartite Methodology <ul><li>Conceptual  investigations   </li></ul><ul><ul><li>Philosophically informed analyses ...
Direct and Indirect Stakeholders <ul><li>Direct stakeholders: Interact with the system being designed and its outputs </li...
Model of Informed Consent  for Information Systems  <ul><li>Disclosure </li></ul><ul><li>Comprehension </li></ul><ul><li>V...
NS 3.04 Cookie Warning Dialog Box
NS 4.03 Cookie Settings
IE 4.0 Cookie Warning Dialog Box
IE 5.0 Custom Cookie Settings
The Unique Role of the Web Browser <ul><li>Browser software mediates communication between a client (typically an end user...
The Unique Role of the Web Browser <ul><li>With respect to Information Consent </li></ul><ul><ul><li>Disclosure:  </li></u...
The Unique Role of the Web Browser <ul><li>With respect to Information Consent </li></ul><ul><ul><li>Minimal distraction <...
Design Goals <ul><li>Enhance users’ local understanding of cookie events as the events occur with minimal distraction to t...
Design Goals <ul><li>Enhance users’ global understanding of the common uses of cookie technology </li></ul><ul><ul><li>Inc...
Design Goals <ul><li>Enhance users’ ability to manage cookies </li></ul><ul><ul><li>Particularly with respect to the easy ...
© Batya Friedman 2003
© Batya Friedman 2003
© Batya Friedman 2003
© Batya Friedman 2003
© Batya Friedman 2003
 
 
Renamed to “Cookie-Panel” <ul><li>https://addons.mozilla.org/extensions/moreinfo.php?id=1375 </li></ul>
<ul><li>Informing through interaction Design </li></ul>Secure Connections
Secure Connections: Different Evidences For a  suspicious   (!)  site, the Address bar turns  yellow  and displays a warni...
Secure Connections: Your opinion? Fits in the status bar (IE 6) No encryption Secure Connection (Certificate is OK) “ Secu...
GMail:  Questions related to Informed Consent  <ul><li>Machines reading personal content  </li></ul><ul><ul><li>…  a priva...
Hardening Web Browsers Against Man in the Middle and Eavesdropping Attacks Haidong Xia and Jose Carlos Brustoloni
Usability of Web Browser security <ul><li>Man-In-The-Middle (MITM) attacks  </li></ul><ul><li>Eavesdropping attacks </li><...
Man-In-The-Middle (MITM) attacks  <ul><li>The public keys of major CAs (e.g., Verisign) are embedded in many client applic...
Common sources of Ct. verification failure <ul><li>The browser may not know the public key of the CA that issued the serve...
Common sources of Ct. verification failure <ul><li>Server may have presented a certificate whose  common name  field does ...
Common sources of Ct. verification failure
Common sources of Ct. verification failure
Context Sensitive Certificate Verification <ul><li>Clarify the relationship between the user and the server’s (non verifie...
Context Sensitive Certificate Verification
 
 
Specific Passwords Warnings <ul><li>Helps prevent eavesdropping </li></ul><ul><li>Allow overriding </li></ul>
Specific Passwords Warnings
Specific Passwords Warnings
User Studies <ul><li>Computer literate users (CLU) </li></ul><ul><li>Evaluate: </li></ul><ul><ul><li>Likelihood of success...
Study’s Design <ul><li>17 participants (majors from Pitt’s CS department) </li></ul><ul><li>Two studies: </li></ul><ul><ul...
Study’s Design <ul><li>Visit three  fictional  but  realistic  Web sites where students were assigned password protected a...
Study’s Design 100 Choosing not to access to 2nd and 3rd site insecurely 100 Correctly obtained and installed the issuing ...
Study’s Results <ul><li>With current users and Web browsers, the mentioned attacks are alarmingly likely to succeed.  </li...
Participation
Disagreements about Secure Connections <ul><li>Propose some ideas for representing secure connections in web browsers </li...
Thank you!
Upcoming SlideShare
Loading in...5
×

Web browser privacy and security

2,192

Published on

www.secguru.com

Published in: Economy & Finance, Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,192
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • Transcript of "Web browser privacy and security "

    1. 1. Web browser privacy and security (I) March 21 st , 2006 Ricardo Villamarin-Salomon
    2. 2. Outline <ul><li>Web Browser In security </li></ul><ul><li>Informed Consent by Design </li></ul><ul><li>Hardening Web Browsers Against Man in the Middle and Eavesdropping Attacks </li></ul><ul><li>Participation </li></ul>
    3. 3. Web Browser Insecurity <ul><li>Targeted attacks on Web applications and Web browsers are increasingly becoming the focal point for cyber criminals. </li></ul><ul><ul><li>Traditional attack activity : motivated by curiosity and a desire to show off technical virtuosity </li></ul></ul><ul><ul><li>Current threats are motivated by profit: identity theft, extortion, and fraud, for financial gain. </li></ul></ul>
    4. 4. Source : secunia.com Date: 2006-March-19 Original Idea : ZDNet.com Revision & Update (March 2006) : me Worry-free web?
    5. 5. Web Browser vulnerabilities, vendor confirmed Source: Symantec Internet Security Threat Report (Vol. IX)
    6. 6. Web Browser vulnerabilities, confirmed & non-confirmed by vendor Source: Symantec Internet Security Threat Report (Vol. IX)
    7. 7. Some Common Vulnerabilities (CERT) <ul><li>ActiveX Controls </li></ul><ul><li>Java applets (bypassing of sandbox’s restrictions) </li></ul><ul><li>Cross-Site Scripting (mainly faults of web sites) </li></ul><ul><ul><li>e.g, http://host.com/modules.php?op=modload&name=XForum&file= [hostilejavascript] &fid=2 </li></ul></ul><ul><li>Cross-Zone and Cross-Domain Vulnerabilities </li></ul><ul><ul><li>Prevention of a web site from accessing data in a different domain (or zone) is broken </li></ul></ul><ul><li>Malicious Scripting, Active Content, and HTML </li></ul><ul><li>Spoofing As it relates to web browsers, spoofing is a term used to describe methods of faking various parts of the browser user interface. </li></ul>
    8. 8. Informed Consent for Information Systems Batya Friedman, Peyina Lin, and Jessica K. Miller
    9. 9. Value Sensitive Design <ul><li>Design of Information and Computer Systems that accounts for human values </li></ul><ul><li>Value Sensitive Design is an interactional theory </li></ul><ul><ul><li>In general, we don’t view values as inherent in a given technology </li></ul></ul><ul><ul><li>However, we also don’t view a technology as value-neutral </li></ul></ul><ul><ul><li>Rather, some technologies are more suitable than others for supporting given values </li></ul></ul><ul><li>Key task of VSD: Investigate these “value suitabilities” (along with what values and whose values) </li></ul>© Batya Friedman 2003
    10. 10. VSD’s Tripartite Methodology <ul><li>Conceptual investigations </li></ul><ul><ul><li>Philosophically informed analyses of the values and value conflicts involved in the system </li></ul></ul><ul><li>Technical investigations </li></ul><ul><ul><li>Identify existing or develop new technical mechanisms; investigate their suitability to support or not support the values we wish to further </li></ul></ul><ul><li>Empirical investigations </li></ul><ul><ul><li>Using techniques from the social sciences, investigate issues such as: Who are the stakeholders? Which values are important to them? How do they prioritize these values? </li></ul></ul><ul><li>These are applied iteratively and integratively </li></ul>© Batya Friedman 2003
    11. 11. Direct and Indirect Stakeholders <ul><li>Direct stakeholders: Interact with the system being designed and its outputs </li></ul><ul><li>Indirect stakeholders: Don’t interact directly with the system, but are affected by it in significant ways </li></ul>© Batya Friedman 2003
    12. 12. Model of Informed Consent for Information Systems <ul><li>Disclosure </li></ul><ul><li>Comprehension </li></ul><ul><li>Voluntariness </li></ul><ul><li>Competence </li></ul><ul><li>Agreement </li></ul><ul><li>Minimal Distraction </li></ul>
    13. 13. NS 3.04 Cookie Warning Dialog Box
    14. 14. NS 4.03 Cookie Settings
    15. 15. IE 4.0 Cookie Warning Dialog Box
    16. 16. IE 5.0 Custom Cookie Settings
    17. 17. The Unique Role of the Web Browser <ul><li>Browser software mediates communication between a client (typically an end user) and a server </li></ul><ul><li>After a remote site has exercised a capability, the Web browser software has no control over what the remote site does with the information or other actions that the site may take. </li></ul>
    18. 18. The Unique Role of the Web Browser <ul><li>With respect to Information Consent </li></ul><ul><ul><li>Disclosure: </li></ul></ul><ul><ul><ul><li>Whether the user is notified about a server request </li></ul></ul></ul><ul><ul><ul><li>Harms / Benefits? </li></ul></ul></ul><ul><ul><li>Comprehension: (to a large extent) </li></ul></ul><ul><ul><ul><li>Controls the content of the notification (if any) </li></ul></ul></ul><ul><ul><li>Agreement: </li></ul></ul><ul><ul><ul><li>User’s opportunity to agree/decline to place a cookie (prompting) </li></ul></ul></ul><ul><ul><ul><li>Ongoing : how to withdraw from agreement (obscure locations)? </li></ul></ul></ul>
    19. 19. The Unique Role of the Web Browser <ul><li>With respect to Information Consent </li></ul><ul><ul><li>Minimal distraction </li></ul></ul><ul><ul><ul><li>IE: acceptance/declination of third party cookies by the user (one by one) </li></ul></ul></ul><ul><ul><li>Voluntariness? </li></ul></ul><ul><ul><ul><li>Browser or Website? </li></ul></ul></ul><ul><ul><li>Competence (cookies)? </li></ul></ul><ul><ul><ul><li>Browser or Website? </li></ul></ul></ul>
    20. 20. Design Goals <ul><li>Enhance users’ local understanding of cookie events as the events occur with minimal distraction to the user </li></ul><ul><ul><li>Preset agreement policy that applies to all cookies of a specified type </li></ul></ul><ul><ul><ul><li>Minimizes user distraction at the expense of rote decision-making, disclosure and comprehension </li></ul></ul></ul><ul><ul><li>Explicitly accept or decline each cookie one at a time </li></ul></ul><ul><ul><ul><li>Supports the criterion of disclosure but at the expense of extreme distraction </li></ul></ul></ul><ul><ul><li>Middle ground? </li></ul></ul>
    21. 21. Design Goals <ul><li>Enhance users’ global understanding of the common uses of cookie technology </li></ul><ul><ul><li>Including potential benefits and risks associated with those uses </li></ul></ul><ul><ul><li>A necessary piece of disclosure and comprehension </li></ul></ul>
    22. 22. Design Goals <ul><li>Enhance users’ ability to manage cookies </li></ul><ul><ul><li>Particularly with respect to the easy viewing of cookie information and on-going control over the lifetime and removal of cookies. </li></ul></ul><ul><ul><li>Agreement is ongoing: the user had no easy means (1999 browser technology) to remove the previously set cookies and thereby revoke consent </li></ul></ul><ul><li>Achieve design goals 1, 2 and 3 while minimizing distraction for the user </li></ul>
    23. 23. © Batya Friedman 2003
    24. 24. © Batya Friedman 2003
    25. 25. © Batya Friedman 2003
    26. 26. © Batya Friedman 2003
    27. 27. © Batya Friedman 2003
    28. 30. Renamed to “Cookie-Panel” <ul><li>https://addons.mozilla.org/extensions/moreinfo.php?id=1375 </li></ul>
    29. 31. <ul><li>Informing through interaction Design </li></ul>Secure Connections
    30. 32. Secure Connections: Different Evidences For a suspicious (!) site, the Address bar turns yellow and displays a warning label but still allows data entry <ul><li>… we turn the entire address bar a bright shade of yellow at secure sites </li></ul><ul><li>It's impossible to miss; </li></ul><ul><li>the connection with the page “ is clear ” because it highlights the page address; </li></ul><ul><li>and it's “ obvious ” what it means because it's punctuated by a large lock </li></ul><ul><li>- Blake Ross .. </li></ul>Firefox IE 7 Beta
    31. 33. Secure Connections: Your opinion? Fits in the status bar (IE 6) No encryption Secure Connection (Certificate is OK) “ Secure” Connection (Problem with Certificate)
    32. 34. GMail: Questions related to Informed Consent <ul><li>Machines reading personal content </li></ul><ul><ul><li>… a privacy violation concerns the act of intrusion upon the self, independent of the state of mind (or knowledge) of the intruder - Edward Bloustein </li></ul></ul><ul><ul><li>Spam filters? </li></ul></ul><ul><li>Indirect stakeholders </li></ul><ul><ul><li>targeted advertisements should not be allowed without the consent of all parties involved in an email exchange. Gmail does not obtain the consent of the email sender. How? </li></ul></ul><ul><ul><li>Automatic reply: once (the first time) and for all make the sender agree with Gmail TOS (something similar to mailblocks.com for verifying that an email was sent by a human) </li></ul></ul>
    33. 35. Hardening Web Browsers Against Man in the Middle and Eavesdropping Attacks Haidong Xia and Jose Carlos Brustoloni
    34. 36. Usability of Web Browser security <ul><li>Man-In-The-Middle (MITM) attacks </li></ul><ul><li>Eavesdropping attacks </li></ul><ul><li>Several tools available </li></ul>
    35. 37. Man-In-The-Middle (MITM) attacks <ul><li>The public keys of major CAs (e.g., Verisign) are embedded in many client applications (e.g.,Web browsers). </li></ul>
    36. 38. Common sources of Ct. verification failure <ul><li>The browser may not know the public key of the CA that issued the server’s certificate </li></ul><ul><ul><li>Internal web server (only by members of the organization) </li></ul></ul><ul><ul><li>Own CA: public key installed in browser (no verification errors) </li></ul></ul><ul><ul><li>Large number of users / User owned computer </li></ul></ul><ul><li>Issuer’s or the server’s certificate may be expired </li></ul>
    37. 39. Common sources of Ct. verification failure <ul><li>Server may have presented a certificate whose common name field does not match the server’s fully qualified domain name </li></ul><ul><ul><li>Attacker can use his own identity with a CA generated certificate </li></ul></ul><ul><ul><li>Attacker may have stolen the Ct. (along with the private key) </li></ul></ul><ul><ul><li>Mismatches at subdomain level not very risky (unless a very sophisticated attack is mounted) </li></ul></ul><ul><ul><ul><li>Allow user to proceed </li></ul></ul></ul><ul><ul><li>Other cases more serious </li></ul></ul><ul><ul><ul><li>Ch. 28 </li></ul></ul></ul>
    38. 40. Common sources of Ct. verification failure
    39. 41. Common sources of Ct. verification failure
    40. 42. Context Sensitive Certificate Verification <ul><li>Clarify the relationship between the user and the server’s (non verified) certificate </li></ul><ul><ul><li>Not giving the user override mechanisms </li></ul></ul><ul><li>Distribute signed certificates of the internal servers out of band </li></ul><ul><li>Take advantage of typically unused Ct’s fields: </li></ul><ul><ul><li>CA’s contact information ( field: issuer alternative name ) </li></ul></ul><ul><ul><li>CA administrator’s name, address, telephone and fax numbers, and work hours. </li></ul></ul>
    41. 43. Context Sensitive Certificate Verification
    42. 46. Specific Passwords Warnings <ul><li>Helps prevent eavesdropping </li></ul><ul><li>Allow overriding </li></ul>
    43. 47. Specific Passwords Warnings
    44. 48. Specific Passwords Warnings
    45. 49. User Studies <ul><li>Computer literate users (CLU) </li></ul><ul><li>Evaluate: </li></ul><ul><ul><li>Likelihood of successful attack in representative security-sensitive Web applications </li></ul></ul><ul><ul><li>Possibility of “foolproofing” web browsers, so they can be used securely even by untrained CLUs </li></ul></ul><ul><ul><li>Can education about the relevant security principles, attacks, and tools improve the security of how users browse the Web? </li></ul></ul><ul><ul><ul><li>Note: This last hypothesis is not covered in this presentation </li></ul></ul></ul>
    46. 50. Study’s Design <ul><li>17 participants (majors from Pitt’s CS department) </li></ul><ul><li>Two studies: </li></ul><ul><ul><li>Unmodified browser (IE) </li></ul></ul><ul><ul><li>Modified Mozilla Firebird 0.6.1 with CSCV and SPW </li></ul></ul><ul><li>No feedback given between these two studies </li></ul>
    47. 51. Study’s Design <ul><li>Visit three fictional but realistic Web sites where students were assigned password protected accounts </li></ul><ul><li>The first site: maintained by the students’ university. </li></ul><ul><ul><li>It allows students to monitor the respective reward points (earned by doing well in exams, independent studies, etc.) </li></ul></ul><ul><ul><li>HTTPS + Certificate issued by internal CA </li></ul></ul><ul><li>The second site: m. by a remote e-merchant not affiliated with U. </li></ul><ul><ul><li>Students can spend their reward points, (e.g. to buy books, CDs, etc.) </li></ul></ul><ul><ul><li>HTTPS + bogus certificate </li></ul></ul><ul><li>The third site provides access to users’ Web email accounts </li></ul><ul><ul><li>HTTP only (no certificate) </li></ul></ul>
    48. 52. Study’s Design 100 Choosing not to access to 2nd and 3rd site insecurely 100 Correctly obtained and installed the issuing CA’s certificate 50 Simply did not visit the site insecurely 0 Access to a site despite lack of security Score (points) User’s Action
    49. 53. Study’s Results <ul><li>With current users and Web browsers, the mentioned attacks are alarmingly likely to succeed. </li></ul><ul><ul><li>More often than not, users’ behavior defeats the existing Web security mechanisms. </li></ul></ul><ul><li>CSCV blocked MITM attacks against HTTPS-based applications completely. </li></ul><ul><li>SPW greatly reduced the insecure transmission of passwords in an HTTP-based application </li></ul><ul><li>Although untrained, users had little trouble using CSCV and SPW. </li></ul>
    50. 54. Participation
    51. 55. Disagreements about Secure Connections <ul><li>Propose some ideas for representing secure connections in web browsers </li></ul>
    52. 56. Thank you!

    ×