Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web browser privacy and security


Published on

Published in: Economy & Finance, Technology
  • Dating for everyone is here: ♥♥♥ ♥♥♥
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi there! Get Your Professional Job-Winning Resume Here - Check our website!
    Are you sure you want to  Yes  No
    Your message goes here
  • nice ppt ..sir can you send me this ppt on my email
    Are you sure you want to  Yes  No
    Your message goes here

Web browser privacy and security

  1. 1. Web browser privacy and security (I) March 21 st , 2006 Ricardo Villamarin-Salomon
  2. 2. Outline <ul><li>Web Browser In security </li></ul><ul><li>Informed Consent by Design </li></ul><ul><li>Hardening Web Browsers Against Man in the Middle and Eavesdropping Attacks </li></ul><ul><li>Participation </li></ul>
  3. 3. Web Browser Insecurity <ul><li>Targeted attacks on Web applications and Web browsers are increasingly becoming the focal point for cyber criminals. </li></ul><ul><ul><li>Traditional attack activity : motivated by curiosity and a desire to show off technical virtuosity </li></ul></ul><ul><ul><li>Current threats are motivated by profit: identity theft, extortion, and fraud, for financial gain. </li></ul></ul>
  4. 4. Source : Date: 2006-March-19 Original Idea : Revision & Update (March 2006) : me Worry-free web?
  5. 5. Web Browser vulnerabilities, vendor confirmed Source: Symantec Internet Security Threat Report (Vol. IX)
  6. 6. Web Browser vulnerabilities, confirmed & non-confirmed by vendor Source: Symantec Internet Security Threat Report (Vol. IX)
  7. 7. Some Common Vulnerabilities (CERT) <ul><li>ActiveX Controls </li></ul><ul><li>Java applets (bypassing of sandbox’s restrictions) </li></ul><ul><li>Cross-Site Scripting (mainly faults of web sites) </li></ul><ul><ul><li>e.g, [hostilejavascript] &fid=2 </li></ul></ul><ul><li>Cross-Zone and Cross-Domain Vulnerabilities </li></ul><ul><ul><li>Prevention of a web site from accessing data in a different domain (or zone) is broken </li></ul></ul><ul><li>Malicious Scripting, Active Content, and HTML </li></ul><ul><li>Spoofing As it relates to web browsers, spoofing is a term used to describe methods of faking various parts of the browser user interface. </li></ul>
  8. 8. Informed Consent for Information Systems Batya Friedman, Peyina Lin, and Jessica K. Miller
  9. 9. Value Sensitive Design <ul><li>Design of Information and Computer Systems that accounts for human values </li></ul><ul><li>Value Sensitive Design is an interactional theory </li></ul><ul><ul><li>In general, we don’t view values as inherent in a given technology </li></ul></ul><ul><ul><li>However, we also don’t view a technology as value-neutral </li></ul></ul><ul><ul><li>Rather, some technologies are more suitable than others for supporting given values </li></ul></ul><ul><li>Key task of VSD: Investigate these “value suitabilities” (along with what values and whose values) </li></ul>© Batya Friedman 2003
  10. 10. VSD’s Tripartite Methodology <ul><li>Conceptual investigations </li></ul><ul><ul><li>Philosophically informed analyses of the values and value conflicts involved in the system </li></ul></ul><ul><li>Technical investigations </li></ul><ul><ul><li>Identify existing or develop new technical mechanisms; investigate their suitability to support or not support the values we wish to further </li></ul></ul><ul><li>Empirical investigations </li></ul><ul><ul><li>Using techniques from the social sciences, investigate issues such as: Who are the stakeholders? Which values are important to them? How do they prioritize these values? </li></ul></ul><ul><li>These are applied iteratively and integratively </li></ul>© Batya Friedman 2003
  11. 11. Direct and Indirect Stakeholders <ul><li>Direct stakeholders: Interact with the system being designed and its outputs </li></ul><ul><li>Indirect stakeholders: Don’t interact directly with the system, but are affected by it in significant ways </li></ul>© Batya Friedman 2003
  12. 12. Model of Informed Consent for Information Systems <ul><li>Disclosure </li></ul><ul><li>Comprehension </li></ul><ul><li>Voluntariness </li></ul><ul><li>Competence </li></ul><ul><li>Agreement </li></ul><ul><li>Minimal Distraction </li></ul>
  13. 13. NS 3.04 Cookie Warning Dialog Box
  14. 14. NS 4.03 Cookie Settings
  15. 15. IE 4.0 Cookie Warning Dialog Box
  16. 16. IE 5.0 Custom Cookie Settings
  17. 17. The Unique Role of the Web Browser <ul><li>Browser software mediates communication between a client (typically an end user) and a server </li></ul><ul><li>After a remote site has exercised a capability, the Web browser software has no control over what the remote site does with the information or other actions that the site may take. </li></ul>
  18. 18. The Unique Role of the Web Browser <ul><li>With respect to Information Consent </li></ul><ul><ul><li>Disclosure: </li></ul></ul><ul><ul><ul><li>Whether the user is notified about a server request </li></ul></ul></ul><ul><ul><ul><li>Harms / Benefits? </li></ul></ul></ul><ul><ul><li>Comprehension: (to a large extent) </li></ul></ul><ul><ul><ul><li>Controls the content of the notification (if any) </li></ul></ul></ul><ul><ul><li>Agreement: </li></ul></ul><ul><ul><ul><li>User’s opportunity to agree/decline to place a cookie (prompting) </li></ul></ul></ul><ul><ul><ul><li>Ongoing : how to withdraw from agreement (obscure locations)? </li></ul></ul></ul>
  19. 19. The Unique Role of the Web Browser <ul><li>With respect to Information Consent </li></ul><ul><ul><li>Minimal distraction </li></ul></ul><ul><ul><ul><li>IE: acceptance/declination of third party cookies by the user (one by one) </li></ul></ul></ul><ul><ul><li>Voluntariness? </li></ul></ul><ul><ul><ul><li>Browser or Website? </li></ul></ul></ul><ul><ul><li>Competence (cookies)? </li></ul></ul><ul><ul><ul><li>Browser or Website? </li></ul></ul></ul>
  20. 20. Design Goals <ul><li>Enhance users’ local understanding of cookie events as the events occur with minimal distraction to the user </li></ul><ul><ul><li>Preset agreement policy that applies to all cookies of a specified type </li></ul></ul><ul><ul><ul><li>Minimizes user distraction at the expense of rote decision-making, disclosure and comprehension </li></ul></ul></ul><ul><ul><li>Explicitly accept or decline each cookie one at a time </li></ul></ul><ul><ul><ul><li>Supports the criterion of disclosure but at the expense of extreme distraction </li></ul></ul></ul><ul><ul><li>Middle ground? </li></ul></ul>
  21. 21. Design Goals <ul><li>Enhance users’ global understanding of the common uses of cookie technology </li></ul><ul><ul><li>Including potential benefits and risks associated with those uses </li></ul></ul><ul><ul><li>A necessary piece of disclosure and comprehension </li></ul></ul>
  22. 22. Design Goals <ul><li>Enhance users’ ability to manage cookies </li></ul><ul><ul><li>Particularly with respect to the easy viewing of cookie information and on-going control over the lifetime and removal of cookies. </li></ul></ul><ul><ul><li>Agreement is ongoing: the user had no easy means (1999 browser technology) to remove the previously set cookies and thereby revoke consent </li></ul></ul><ul><li>Achieve design goals 1, 2 and 3 while minimizing distraction for the user </li></ul>
  23. 23. © Batya Friedman 2003
  24. 24. © Batya Friedman 2003
  25. 25. © Batya Friedman 2003
  26. 26. © Batya Friedman 2003
  27. 27. © Batya Friedman 2003
  28. 30. Renamed to “Cookie-Panel” <ul><li> </li></ul>
  29. 31. <ul><li>Informing through interaction Design </li></ul>Secure Connections
  30. 32. Secure Connections: Different Evidences For a suspicious (!) site, the Address bar turns yellow and displays a warning label but still allows data entry <ul><li>… we turn the entire address bar a bright shade of yellow at secure sites </li></ul><ul><li>It's impossible to miss; </li></ul><ul><li>the connection with the page “ is clear ” because it highlights the page address; </li></ul><ul><li>and it's “ obvious ” what it means because it's punctuated by a large lock </li></ul><ul><li>- Blake Ross .. </li></ul>Firefox IE 7 Beta
  31. 33. Secure Connections: Your opinion? Fits in the status bar (IE 6) No encryption Secure Connection (Certificate is OK) “ Secure” Connection (Problem with Certificate)
  32. 34. GMail: Questions related to Informed Consent <ul><li>Machines reading personal content </li></ul><ul><ul><li>… a privacy violation concerns the act of intrusion upon the self, independent of the state of mind (or knowledge) of the intruder - Edward Bloustein </li></ul></ul><ul><ul><li>Spam filters? </li></ul></ul><ul><li>Indirect stakeholders </li></ul><ul><ul><li>targeted advertisements should not be allowed without the consent of all parties involved in an email exchange. Gmail does not obtain the consent of the email sender. How? </li></ul></ul><ul><ul><li>Automatic reply: once (the first time) and for all make the sender agree with Gmail TOS (something similar to for verifying that an email was sent by a human) </li></ul></ul>
  33. 35. Hardening Web Browsers Against Man in the Middle and Eavesdropping Attacks Haidong Xia and Jose Carlos Brustoloni
  34. 36. Usability of Web Browser security <ul><li>Man-In-The-Middle (MITM) attacks </li></ul><ul><li>Eavesdropping attacks </li></ul><ul><li>Several tools available </li></ul>
  35. 37. Man-In-The-Middle (MITM) attacks <ul><li>The public keys of major CAs (e.g., Verisign) are embedded in many client applications (e.g.,Web browsers). </li></ul>
  36. 38. Common sources of Ct. verification failure <ul><li>The browser may not know the public key of the CA that issued the server’s certificate </li></ul><ul><ul><li>Internal web server (only by members of the organization) </li></ul></ul><ul><ul><li>Own CA: public key installed in browser (no verification errors) </li></ul></ul><ul><ul><li>Large number of users / User owned computer </li></ul></ul><ul><li>Issuer’s or the server’s certificate may be expired </li></ul>
  37. 39. Common sources of Ct. verification failure <ul><li>Server may have presented a certificate whose common name field does not match the server’s fully qualified domain name </li></ul><ul><ul><li>Attacker can use his own identity with a CA generated certificate </li></ul></ul><ul><ul><li>Attacker may have stolen the Ct. (along with the private key) </li></ul></ul><ul><ul><li>Mismatches at subdomain level not very risky (unless a very sophisticated attack is mounted) </li></ul></ul><ul><ul><ul><li>Allow user to proceed </li></ul></ul></ul><ul><ul><li>Other cases more serious </li></ul></ul><ul><ul><ul><li>Ch. 28 </li></ul></ul></ul>
  38. 40. Common sources of Ct. verification failure
  39. 41. Common sources of Ct. verification failure
  40. 42. Context Sensitive Certificate Verification <ul><li>Clarify the relationship between the user and the server’s (non verified) certificate </li></ul><ul><ul><li>Not giving the user override mechanisms </li></ul></ul><ul><li>Distribute signed certificates of the internal servers out of band </li></ul><ul><li>Take advantage of typically unused Ct’s fields: </li></ul><ul><ul><li>CA’s contact information ( field: issuer alternative name ) </li></ul></ul><ul><ul><li>CA administrator’s name, address, telephone and fax numbers, and work hours. </li></ul></ul>
  41. 43. Context Sensitive Certificate Verification
  42. 46. Specific Passwords Warnings <ul><li>Helps prevent eavesdropping </li></ul><ul><li>Allow overriding </li></ul>
  43. 47. Specific Passwords Warnings
  44. 48. Specific Passwords Warnings
  45. 49. User Studies <ul><li>Computer literate users (CLU) </li></ul><ul><li>Evaluate: </li></ul><ul><ul><li>Likelihood of successful attack in representative security-sensitive Web applications </li></ul></ul><ul><ul><li>Possibility of “foolproofing” web browsers, so they can be used securely even by untrained CLUs </li></ul></ul><ul><ul><li>Can education about the relevant security principles, attacks, and tools improve the security of how users browse the Web? </li></ul></ul><ul><ul><ul><li>Note: This last hypothesis is not covered in this presentation </li></ul></ul></ul>
  46. 50. Study’s Design <ul><li>17 participants (majors from Pitt’s CS department) </li></ul><ul><li>Two studies: </li></ul><ul><ul><li>Unmodified browser (IE) </li></ul></ul><ul><ul><li>Modified Mozilla Firebird 0.6.1 with CSCV and SPW </li></ul></ul><ul><li>No feedback given between these two studies </li></ul>
  47. 51. Study’s Design <ul><li>Visit three fictional but realistic Web sites where students were assigned password protected accounts </li></ul><ul><li>The first site: maintained by the students’ university. </li></ul><ul><ul><li>It allows students to monitor the respective reward points (earned by doing well in exams, independent studies, etc.) </li></ul></ul><ul><ul><li>HTTPS + Certificate issued by internal CA </li></ul></ul><ul><li>The second site: m. by a remote e-merchant not affiliated with U. </li></ul><ul><ul><li>Students can spend their reward points, (e.g. to buy books, CDs, etc.) </li></ul></ul><ul><ul><li>HTTPS + bogus certificate </li></ul></ul><ul><li>The third site provides access to users’ Web email accounts </li></ul><ul><ul><li>HTTP only (no certificate) </li></ul></ul>
  48. 52. Study’s Design 100 Choosing not to access to 2nd and 3rd site insecurely 100 Correctly obtained and installed the issuing CA’s certificate 50 Simply did not visit the site insecurely 0 Access to a site despite lack of security Score (points) User’s Action
  49. 53. Study’s Results <ul><li>With current users and Web browsers, the mentioned attacks are alarmingly likely to succeed. </li></ul><ul><ul><li>More often than not, users’ behavior defeats the existing Web security mechanisms. </li></ul></ul><ul><li>CSCV blocked MITM attacks against HTTPS-based applications completely. </li></ul><ul><li>SPW greatly reduced the insecure transmission of passwords in an HTTP-based application </li></ul><ul><li>Although untrained, users had little trouble using CSCV and SPW. </li></ul>
  50. 54. Participation
  51. 55. Disagreements about Secure Connections <ul><li>Propose some ideas for representing secure connections in web browsers </li></ul>
  52. 56. Thank you!