Web browser privacy
and security (I)
March 21st, 2006
Ricardo Villamarin-Salomon
Outline
♦
Web Browser Insecurity
♦
Informed Consent by Design
♦
Hardening Web Browsers Against Man in the Middle
and Eavesdropping Attacks
♦
Participation
17-500
2
Web Browser Insecurity
♦
Targeted attacks on Web applications and Web browsers are
increasingly becoming the focal point for cyber criminals.
17-500

Traditional attack activity : motivated by curiosity and a desire to
show off technical virtuosity

Current threats are motivated by profit: identity theft, extortion,
and fraud, for financial gain.
3
Source: secunia.com
Date: 2006-March-19
Original Idea: ZDNet.com
Revision & Update
(March 2006): me
Worry-free web?
17-500
4
Web Browser vulnerabilities, vendor confirmed
17-500
Source: Symantec Internet Security Threat Report (Vol. IX)
5
Web Browser vulnerabilities,
confirmed & non-confirmed by vendor
17-500
Source: Symantec Internet Security Threat Report (Vol. IX)
6
Some Common Vulnerabilities (CERT)
♦
♦
♦
ActiveX Controls
Java applets (bypassing of sandbox’s restrictions)
Cross-Site Scripting (mainly faults of web sites)

♦
Cross-Zone and Cross-Domain Vulnerabilities

♦
♦
e.g,
http://host.com/modules.php?op=modload&name=XForum&file=[hos
tilejavascript]&fid=2
Prevention of a web site from accessing data in a different domain
(or zone) is broken
Malicious Scripting, Active Content, and HTML
Spoofing
As it relates to web browsers, spoofing is a term used to describe
methods of faking various parts of the browser user interface.
17-500
7
Informed Consent for
Information Systems
Batya Friedman, Peyina Lin, and Jessica K.
Miller
Value Sensitive Design
♦
Design of Information and Computer Systems that accounts for
human values
♦
Value Sensitive Design is an interactional theory
♦

In general, we don’t view values as inherent in a given technology

However, we also don’t view a technology as value-neutral

Rather, some technologies are more suitable than others for
supporting given values
Key task of VSD: Investigate these “value suitabilities” (along
with what values and whose values)
17-500
© Batya Friedman 2003
9
VSD’s Tripartite Methodology
♦
Conceptual investigations

♦
Technical investigations

♦
Identify existing or develop new technical mechanisms; investigate
their suitability to support or not support the values we wish to
further
Empirical investigations

♦
Philosophically informed analyses of the values and value conflicts
involved in the system
Using techniques from the social sciences, investigate issues such as:
Who are the stakeholders? Which values are important to them?
How do they prioritize these values?
These are applied iteratively and integratively
17-500
© Batya Friedman 2003
10
Direct and Indirect Stakeholders
♦
Direct stakeholders: Interact with the system being designed and
its outputs
♦
Indirect stakeholders: Don’t interact directly with the system,
but are affected by it in significant ways
17-500
© Batya Friedman 2003
11
Model of Informed Consent for Information
Systems
1.
Disclosure
4.
Competence
2.
Comprehension
5.
Agreement
3.
Voluntariness
6.
Minimal Distraction
17-500
12
NS 3.04 Cookie Warning Dialog Box
17-500
13
NS 4.03 Cookie Settings
17-500
14
IE 4.0 Cookie Warning Dialog Box
17-500
15
IE 5.0 Custom Cookie Settings
17-500
16
The Unique Role of the Web Browser
♦
Browser software mediates communication between a client
(typically an end user) and a server
♦
After a remote site has exercised a capability, the Web browser
software has no control over what the remote site does with the
information or other actions that the site may take.
17-500
17
The Unique Role of the Web Browser
♦
With respect to Information Consent
17-500

Disclosure:
 Whether the user is notified about a server request
 Harms / Benefits?

Comprehension: (to a large extent)
 Controls the content of the notification (if any)

Agreement:
 User’s opportunity to agree/decline to place a cookie (prompting)
 Ongoing : how to withdraw from agreement (obscure locations)?
18
The Unique Role of the Web Browser
♦
With respect to Information Consent
17-500

Minimal distraction
 IE: acceptance/declination of third party cookies by the user
(one by one)

Voluntariness?
 Browser or Website?

Competence (cookies)?
 Browser or Website?
19
Design Goals
1.
Enhance users’ local understanding of cookie events as the
events occur with minimal distraction to the user

Preset agreement policy that applies to all cookies of a specified type


Explicitly accept or decline each cookie one at a time


17-500
Minimizes user distraction at the expense of rote
decision-making, disclosure and comprehension
Supports the criterion of disclosure but at the expense
of extreme distraction
Middle ground?
20
Design Goals
2.
Enhance users’ global understanding of the common uses of
cookie technology
17-500

Including potential benefits and risks associated with those uses

A necessary piece of disclosure and comprehension
21
Design Goals
3.
4.
Enhance users’ ability to manage cookies

Particularly with respect to the easy viewing of cookie information
and on-going control over the lifetime and removal of cookies.

Agreement is ongoing: the user had no easy means (1999 browser
technology) to remove the previously set cookies and thereby revoke
consent
Achieve design goals 1, 2 and 3 while minimizing distraction for
the user
17-500
22
17-500
© Batya Friedman 2003
23
17-500
© Batya Friedman 2003
24
17-500
© Batya Friedman 2003
25
17-500
© Batya Friedman 2003
26
17-500
© Batya Friedman 2003
27
17-500
28
17-500
29
Renamed to “Cookie-Panel”
♦
https://addons.mozilla.org/extensions/moreinfo.php?id=1375
17-500
30
Secure Connections
♦
Informing through interaction Design
17-500
31
Secure Connections: Different Evidences
… we turn the entire address bar a bright shade of yellow at secure sites
1.
It's impossible to miss;
2.
the connection with the page “is clear” because it highlights the page address;
3.
and it's “obvious” what it means because it's punctuated by a large lock
- Blake Ross..
Firefox
IE 7
Beta
17-500
For a suspicious (!) site, the Address bar turns yellow
and displays a warning label but still allows data entry
32
Secure Connections: Your opinion?
No encryption
Secure Connection
(Certificate is OK)
“Secure” Connection
(Problem with Certificate)
Fits in the status bar
(IE 6)
17-500
33
GMail: Questions related to Informed Consent
♦
♦
Machines reading personal content

… a privacy violation concerns the act of intrusion upon the self,
independent of the state of mind (or knowledge) of the intruder
- Edward Bloustein

Spam filters?
Indirect stakeholders
17-500

targeted advertisements should not be allowed without the consent of
all parties involved in an email exchange. Gmail does not obtain the
consent of the email sender. How?

Automatic reply: once (the first time) and for all make the sender
agree with Gmail TOS (something similar to mailblocks.com for
verifying that an email was sent by a human)
34
Hardening Web Browsers
Against Man in the Middle
and Eavesdropping Attacks
Haidong Xia and Jose Carlos Brustoloni
Usability of Web Browser security
♦
Man-In-The-Middle (MITM) attacks
♦
Eavesdropping attacks
♦
Several tools available
17-500
36
Man-In-The-Middle (MITM) attacks
♦
The public keys of major CAs (e.g., Verisign) are embedded in
many client applications (e.g.,Web browsers).
17-500
37
Common sources of Ct. verification failure
1.
2.
The browser may not know the public key of the CA that issued
the server’s certificate

Internal web server (only by members of the organization)

Own CA: public key installed in browser (no verification errors)

Large number of users / User owned computer
Issuer’s or the server’s certificate may be expired
17-500
38
Common sources of Ct. verification failure
3.
Server may have presented a certificate whose common name
field does not match the server’s fully qualified domain name
♦
Attacker can use his own identity with a CA generated certificate
♦
Attacker may have stolen the Ct. (along with the private key)
♦
Mismatches at subdomain level not very risky (unless a very
sophisticated attack is mounted)
♦
♦
Other cases more serious
♦
17-500
Allow user to proceed
Ch. 28
39
Common sources of Ct. verification failure
17-500
40
Common sources of Ct. verification failure
17-500
41
Context Sensitive Certificate Verification
♦
Clarify the relationship between the user and the server’s (non
verified) certificate

Not giving the user override mechanisms
♦
Distribute signed certificates of the internal servers out of band
♦
Take advantage of typically unused Ct’s fields:
17-500

CA’s contact information (field: issuer alternative name)

CA administrator’s name, address, telephone and fax numbers, and
work hours.
42
Context Sensitive Certificate Verification
17-500
43
17-500
44
17-500
45
Specific Passwords Warnings
♦
♦
Helps prevent eavesdropping
Allow overriding
17-500
46
Specific Passwords Warnings
17-500
47
Specific Passwords Warnings
17-500
48
User Studies
♦
Computer literate users (CLU)
♦
Evaluate:
17-500

Likelihood of successful attack in representative security-sensitive
Web applications

Possibility of “foolproofing” web browsers, so they can be used
securely even by untrained CLUs

Can education about the relevant security principles, attacks, and
tools improve the security of how users browse the Web?
 Note: This last hypothesis is not covered in this presentation
49
Study’s Design
♦
17 participants (majors from Pitt’s CS department)
♦
Two studies:
♦

Unmodified browser (IE)

Modified Mozilla Firebird 0.6.1 with CSCV and SPW
No feedback given between these two studies
17-500
50
Study’s Design
♦
Visit three fictional but realistic Web sites where students were
assigned password protected accounts
♦
The first site: maintained by the students’ university.
It allows students to monitor the respective reward points (earned by
doing well in exams, independent studies, etc.)
 HTTPS + Certificate issued by internal CA

♦
The second site: m. by a remote e-merchant not affiliated with U.
Students can spend their reward points, (e.g. to buy books, CDs, etc.)
 HTTPS + bogus certificate

♦
The third site provides access to users’ Web email accounts

17-500
HTTP only (no certificate)
51
Study’s Design
User’s Action
Score (points)
Access to a site despite lack of security
0
Simply did not visit the site insecurely
50
Correctly obtained and installed the issuing
CA’s certificate
100
Choosing not to access to 2nd and 3rd site
insecurely
100
17-500
52
Study’s Results
♦
With current users and Web browsers, the mentioned attacks are
alarmingly likely to succeed.

♦
♦
♦
More often than not, users’ behavior defeats the existing Web
security mechanisms.
CSCV blocked MITM attacks against HTTPS-based applications
completely.
SPW greatly reduced the insecure transmission of passwords in
an HTTP-based application
Although untrained, users had little trouble using CSCV and
SPW.
17-500
53
Participation
Disagreements about Secure Connections
♦
Propose some ideas for representing secure connections in web
browsers
17-500
55
Thank you!