web browser privacy and security (i) march 21 st, 2006 ricardo villamarin-salomon
Post on 24-Dec-2015
216 Views
Preview:
TRANSCRIPT
Web browser privacy Web browser privacy and security (I)and security (I)
March 21st, 2006
Ricardo Villamarin-SalomonRicardo Villamarin-Salomon
217-500
OutlineOutline
♦ Web Browser Insecurity
♦ Informed Consent by Design
♦ Hardening Web Browsers Against Man in the Middleand Eavesdropping Attacks
♦ Participation
317-500
Web Browser InsecurityWeb Browser Insecurity
♦ Targeted attacks on Web applications and Web browsers are increasingly becoming the focal point for cyber criminals.
Traditional attack activity : motivated by curiosity and a desire to show off technical virtuosity
Current threats are motivated by profit: identity theft, extortion, and fraud, for financial gain.
417-500
Source: secunia.com
Date: 2006-March-19
Original Idea: ZDNet.com
Revision & Update (March 2006): me
Worry-free web?
517-500
Web Browser vulnerabilities, vendor confirmedWeb Browser vulnerabilities, vendor confirmed
Source: Symantec Internet Security Threat Report (Vol. IX)
617-500
Web Browser vulnerabilities, Web Browser vulnerabilities, confirmed & non-confirmed by vendorconfirmed & non-confirmed by vendor
Source: Symantec Internet Security Threat Report (Vol. IX)
717-500
Some Common Vulnerabilities (CERT)Some Common Vulnerabilities (CERT)
♦ ActiveX Controls♦ Java applets (bypassing of sandbox’s restrictions)♦ Cross-Site Scripting (mainly faults of web sites)
e.g, http://host.com/modules.php?op=modload&name=XForum&file=[hostilejavascript]&fid=2
♦ Cross-Zone and Cross-Domain Vulnerabilities Prevention of a web site from accessing data in a different
domain (or zone) is broken♦ Malicious Scripting, Active Content, and HTML♦ Spoofing
As it relates to web browsers, spoofing is a term used to describe methods of faking various parts of the browser user interface.
Informed Consent for Informed Consent for Information SystemsInformation Systems
Batya Friedman, Peyina Lin, and Jessica K. Batya Friedman, Peyina Lin, and Jessica K. Miller Miller
917-500
Value Sensitive DesignValue Sensitive Design
♦ Design of Information and Computer Systems that accounts for human values
♦ Value Sensitive Design is an interactional theory In general, we don’t view values as inherent in a given
technology
However, we also don’t view a technology as value-neutral
Rather, some technologies are more suitable than others for supporting given values
♦ Key task of VSD: Investigate these “value suitabilities” (along with what values and whose values)
© Batya Friedman 2003
1017-500
VSD’s Tripartite MethodologyVSD’s Tripartite Methodology
♦ Conceptual investigations Philosophically informed analyses of the values and value
conflicts involved in the system
♦ Technical investigations Identify existing or develop new technical mechanisms;
investigate their suitability to support or not support the values we wish to further
♦ Empirical investigations Using techniques from the social sciences, investigate issues
such as: Who are the stakeholders? Which values are important to them? How do they prioritize these values?
♦ These are applied iteratively and integratively
© Batya Friedman 2003
1117-500
Direct and Indirect StakeholdersDirect and Indirect Stakeholders
♦ Direct stakeholders: Interact with the system being designed and its outputs
♦ Indirect stakeholders: Don’t interact directly with the system, but are affected by it in significant ways
© Batya Friedman 2003
1217-500
Model of Informed Consent Model of Informed Consent for Information for Information Systems Systems
1. Disclosure
2. Comprehension
3. Voluntariness
4. Competence
5. Agreement
6. Minimal Distraction
1317-500
NS 3.04 Cookie Warning Dialog BoxNS 3.04 Cookie Warning Dialog Box
1417-500
NS 4.03 Cookie SettingsNS 4.03 Cookie Settings
1517-500
IE 4.0 Cookie Warning Dialog Box
1617-500
IE 5.0 Custom Cookie Settings
1717-500
The Unique Role of the Web BrowserThe Unique Role of the Web Browser
♦ Browser software mediates communication between a client (typically an end user) and a server
♦ After a remote site has exercised a capability, the Web browser software has no control over what the remote site does with the information or other actions that the site may take.
1817-500
The Unique Role of the Web BrowserThe Unique Role of the Web Browser
♦ With respect to Information Consent
Disclosure: Whether the user is notified about a server request Harms / Benefits?
Comprehension: (to a large extent) Controls the content of the notification (if any)
Agreement: User’s opportunity to agree/decline to place a cookie
(prompting) Ongoing : how to withdraw from agreement (obscure
locations)?
1917-500
The Unique Role of the Web BrowserThe Unique Role of the Web Browser
♦ With respect to Information Consent
Minimal distraction IE: acceptance/declination of third party cookies by the
user (one by one)
Voluntariness? Browser or Website?
Competence (cookies)? Browser or Website?
2017-500
Design GoalsDesign Goals
1. Enhance users’ local understanding of cookie events as the events occur with minimal distraction to the user
Preset agreement policy that applies to all cookies of a specified type
Minimizes user distraction at the expense of rote decision-making, disclosure and comprehension
Explicitly accept or decline each cookie one at a time
Supports the criterion of disclosure but at the expense of extreme distraction
Middle ground?
2117-500
Design GoalsDesign Goals
2. Enhance users’ global understanding of the common uses of cookie technology
Including potential benefits and risks associated with those uses
A necessary piece of disclosure and comprehension
2217-500
Design GoalsDesign Goals
3. Enhance users’ ability to manage cookies
Particularly with respect to the easy viewing of cookie information and on-going control over the lifetime and removal of cookies.
Agreement is ongoing: the user had no easy means (1999 browser technology) to remove the previously set cookies and thereby revoke consent
4. Achieve design goals 1, 2 and 3 while minimizing distraction for the user
2317-500 © Batya Friedman 2003
2417-500 © Batya Friedman 2003
2517-500 © Batya Friedman 2003
2617-500 © Batya Friedman 2003
2717-500 © Batya Friedman 2003
2817-500
2917-500
3017-500
Renamed to “Cookie-Panel”Renamed to “Cookie-Panel”
♦ https://addons.mozilla.org/extensions/moreinfo.php?id=1375
3117-500
♦ Informing through interaction Design
Secure ConnectionsSecure Connections
3217-500
Secure Connections: Different EvidencesSecure Connections: Different Evidences
For a suspicious (!) site, the Address bar turns yellow and displays a warning label but still allows data entry
… we turn the entire address bar a bright shade of yellowyellow at secure sites1. It's impossible to miss; 2. the connection with the page “is clear” because it highlights the page address;3. and it's “obvious” what it means because it's punctuated by a large lock
- Blake Ross..
Firefox
IE 7 Beta
3317-500
Secure Connections: Your opinion?Secure Connections: Your opinion?
Fits in the status bar (IE 6)
No encryption
Secure Connection(Certificate is OK)
“Secure” Connection(Problem with Certificate)
3417-500
GMail: GMail: Questions related to Informed Consent Questions related to Informed Consent
♦ Machines reading personal content … a privacy violation concerns the act of intrusion upon the self,
independent of the state of mind (or knowledge) of the intruder - Edward Bloustein
Spam filters?
♦ Indirect stakeholders targeted advertisements should not be allowed without the
consent of all parties involved in an email exchange. Gmail does not obtain the consent of the email sender. How?
Automatic reply: once (the first time) and for all make the sender agree with Gmail TOS (something similar to mailblocks.com for verifying that an email was sent by a human)
Hardening Web Browsers Against Man in the Middleand Eavesdropping Attacks
Haidong Xia and Jose Carlos BrustoloniHaidong Xia and Jose Carlos Brustoloni
3617-500
Usability of Web Browser securityUsability of Web Browser security
♦ Man-In-The-Middle (MITM) attacks
♦ Eavesdropping attacks
♦ Several tools available
3717-500
Man-In-The-Middle (MITM) attacks Man-In-The-Middle (MITM) attacks
♦ The public keys of major CAs (e.g., Verisign) are embedded in many client applications (e.g.,Web browsers).
3817-500
Common sources of Ct. verification failureCommon sources of Ct. verification failure
1. The browser may not know the public key of the CA that issued the server’s certificate
Internal web server (only by members of the organization)
Own CA: public key installed in browser (no verification errors)
Large number of users / User owned computer
2. Issuer’s or the server’s certificate may be expired
3917-500
Common sources of Ct. verification failureCommon sources of Ct. verification failure
3. Server may have presented a certificate whose common name field does not match the server’s fully qualified domain name
♦ Attacker can use his own identity with a CA generated certificate
♦ Attacker may have stolen the Ct. (along with the private key)
♦ Mismatches at subdomain level not very risky (unless a very sophisticated attack is mounted)
♦ Allow user to proceed
♦ Other cases more serious
♦ Ch. 28
4017-500
Common sources of Ct. verification failureCommon sources of Ct. verification failure
4117-500
Common sources of Ct. verification failureCommon sources of Ct. verification failure
4217-500
Context Sensitive Certificate VerificationContext Sensitive Certificate Verification
♦ Clarify the relationship between the user and the server’s (non verified) certificate
Not giving the user override mechanisms
♦ Distribute signed certificates of the internal servers out of band
♦ Take advantage of typically unused Ct’s fields:
CA’s contact information (field: issuer alternative name)
CA administrator’s name, address, telephone and fax numbers, and work hours.
4317-500
Context Sensitive Certificate VerificationContext Sensitive Certificate Verification
4417-500
4517-500
4617-500
Specific Passwords WarningsSpecific Passwords Warnings
♦ Helps prevent eavesdropping♦ Allow overriding
4717-500
Specific Passwords WarningsSpecific Passwords Warnings
4817-500
Specific Passwords WarningsSpecific Passwords Warnings
4917-500
User StudiesUser Studies
♦ Computer literate users (CLU)
♦ Evaluate: Likelihood of successful attack in representative security-
sensitive Web applications
Possibility of “foolproofing” web browsers, so they can be used securely even by untrained CLUs
Can education about the relevant security principles, attacks, and tools improve the security of how users browse the Web?
Note: This last hypothesis is not covered in this presentation
5017-500
Study’s DesignStudy’s Design
♦ 17 participants (majors from Pitt’s CS department)
♦ Two studies:
Unmodified browser (IE)
Modified Mozilla Firebird 0.6.1 with CSCV and SPW
♦ No feedback given between these two studies
5117-500
Study’s DesignStudy’s Design
♦ Visit three fictional but realistic Web sites where students were assigned password protected accounts
♦ The first site: maintained by the students’ university. It allows students to monitor the respective reward points
(earned by doing well in exams, independent studies, etc.) HTTPS + Certificate issued by internal CA
♦ The second site: m. by a remote e-merchant not affiliated with U. Students can spend their reward points, (e.g. to buy books, CDs,
etc.) HTTPS + bogus certificate
♦ The third site provides access to users’ Web email accounts HTTP only (no certificate)
5217-500
Study’s DesignStudy’s Design
User’s Action Score (points)
Access to a site despite lack of security 0
Simply did not visit the site insecurely 50
Correctly obtained and installed the issuing CA’s certificate
100
Choosing not to access to 2nd and 3rd site insecurely
100
5317-500
Study’s ResultsStudy’s Results
♦ With current users and Web browsers, the mentioned attacks are alarmingly likely to succeed.
More often than not, users’ behavior defeats the existing Web security mechanisms.
♦ CSCV blocked MITM attacks against HTTPS-based applications completely.
♦ SPW greatly reduced the insecure transmission of passwords in an HTTP-based application
♦ Although untrained, users had little trouble using CSCV and SPW.
ParticipationParticipation
5517-500
Disagreements about Secure ConnectionsDisagreements about Secure Connections
♦ Propose some ideas for representing secure connections in web browsers
Thank you!Thank you!
top related