Web Browser Privacy and
Security
Part II
Outline
 Overview
 Browser Privacy and Security Research
 HCISec Bibliography
 Trusted Paths for Browsers
 Zishuang Ye, Sean Smith, Denise Anthony
 Informed Consent in the Mozilla Browser:
Implementing Value-Sensitive Design
 Batya Friedman, Daniel C Howe, Edward Felten
 Doppelganger: Better Browser Privacy Without the
Bother
 Umesh Shankar, Chris Karlof
 Discussion and Activity
Overview
 The web browser serves as a doorway to
the Internet for much of a typical user’s
online activity
 Browsers have the potential to impact on
the privacy and security of any action they
are used to complete
 Some of the most interesting areas are
where there is no clear cut answer
 Technology that has functionally beneficial uses
but gives up something in return
 Can (or should) these decisions be automated?
Web Browsers and Online Privacy
 Common privacy concerns come up when
simply browsing the web
 Sometimes, users are getting something in
return for the loss of privacy
 Personal information given to websites (creating
accounts/completing real world transactions)
 Cookies (remember usernames/preferences)
 Other times, no value is returned to the user for
their loss of privacy
 Tracking cookies
 Web bugs
 Traffic logs
Cookies
 Because cookies can be used
beneficially, disallowing their use is
not an acceptable solution
 People claim to want the browser to
seek their consent before giving up
information in this manner
 Asking every time is too intrusive and
annoying, and leads to users clicking
through without paying attention
Problems with Cookie Management
 Accept/Reject decision is not clear in
all cases
 Because the perceived risks are low,
very little action can be required on
the part of the user or they will
simply avoid using the tool
 Two proposed solutions later
Web Bugs and Traffic Logs
 Loading of remote image that doesn’t
impact visual layout of page
 Set 3rd party cookie
 Remote server can log event of image load
even if cookie is rejected
 However, there are lots of cases where we
want our browsers to load images and
display them to us
 Can be difficult to tell when this action is
beneficial and when it isn’t
Web Browsers and Online Security
 Confidentiality
 You should be able to exchange data
with the server without an eavesdropper
being able to intercept it
 Integrity
 No third-party should be able to modify
or corrupt your communications with the
server
 You must be able to correctly identify
the server you are interacting with
Web Browsers and Online Security
 Browsers provide common tools
enabling users to interact with remote
servers in a secure fashion
 Encrypted sessions (SSL)
 Signed Certificates
 However, the browser must then
communicate about these tools to the
end user
Trusted Path for Web Browsing
 Trusted Path
 From the remote web server to the user
 Malicious websites or third party
attackers should not be able to use your
browser to trick you
 Many common indicators needed to
establish the identity of the server can
be spoofed
Certificates
 Talked a lot about signed certificates
as an important part of creating a
Trusted Path to the user
 Goals
 Confidentiality and Integrity
 Establishes identity of remote server
 Does it accomplish these goals?
 Tuesday’s lecture
Web Browser Security
 Trusted Paths for Browsers
 Evaluation of browser methods for
establishing a trusted path to the
user
 Ability to masquerade as a site with a
different identity
 Ability to “spoof” the existence of a SSL
connection
Misleading website identity in
browsers
 Malicious sites trying to use a forged
identity are often related to phishing
attacks
 Simple impersonation attacks in the URL
itself
 www.paypai.com
 http://www.bloomberg.com@1234567/
 From a technical standpoint, there is
nothing wrong with these addresses, yet
they are intended to mislead
Misleading website identity in
browsers
 More elaborate impersonation attacks are
also possible using JavaScript
 Link appears to go to one site, but goes to
another instead
 New window with standard toolbars disabled,
replaced with spoofed ones displaying inaccurate
information
 Imposter site with JavaScript created interface
elements looks very similar to legitimate site
 Again, all technically legitimate JavaScript
commands, used with the intention of
misleading the user
Why does this work
 Browsers don’t make enough of a
distinction between site content and
browser status information
 A clear distinction needs to exist
 Users need to be able to easily perceive
this difference
 Status information should never be empty
 Status elements should be difficult to
impersonate
Approaches
 No Turnoff
 Make it impossible to disable elements
such as the location and status bars
 Overly restrictive of site display
 Customized Content
 Clearly label status material by using
customized styles or information that
would be difficult to spoof
 Requires some effort from user
 May not be noticed
Approaches – cont
 Metadata Titles
 Push some important status data into
the window title bar where it is more
difficult to modify
 Would users notice?
 Still vulnerable to window in window
 Metadata Windows
 Separate dedicated window for metadata
 Easy to Ignore
 Difficult to correlate with content elements
Approaches – cont
 Boundaries
 Use large colored boundaries to indicate
“trusted” status information from the
browser
 Window in window
 Compartmented Mode Workstation Style Approach
 Uses combination of metadata windows
and boundaries
Prototype
 Separate metadata window always open
 Displays color matching the security level of
the focus window
 Color mismatch of spoofed window will
warn users
 Synchronized random dynamic borders
switch all windows between inset and
outset shading styles at once to further
make window in window spoofs easier to
identify
Prototype – cont
 All windows labeled
 Colored boundaries are easy to
recognize
 Minimal user work required
 Minimal level of intrusiveness,
content unaffected
 Modified version of Mozilla browser
User Study
 Security signal was noticeable and
easy to learn to understand
 Presence of the reference window
made it easier to observe the
synchronization
 Dynamic boundaries much easier to
notice than static ones
 Displaying security signals without
requiring user action is more reliable
Value-Sensitive Design
 Informed Consent in the Mozilla Browser:
Implementing Value-Sensitive Design
 Shares work with Informed Consent by
Design – Chapter 24
 Many sites collecting information about
users do not explicitly inform them that
they are doing so
 Your browser is implicitly giving consent on
your behalf when accepting cookies
Informed Consent
 88% of users expressed that they wanted
sites to explicitly get their consent
 Elements of Informed Consent






Disclosure
Comprehension
Voluntariness
Competence
Agreement
Minimal Distraction
Minimal Distraction
 Why is this important?
 If overwhelmed with queries with low
perceived benefits and risks, attention to
each will become low
 After some threshold, users will simply
seek to disable the mechanism to avoid
the annoyances it presents
 In either of these cases, it is impossible
to maintain the other 5 properties
Prototype
 Iterative design, rapid prototyping,
user evaluations
 Enhancements to cookie manager
tool
 Additional cookie information
 Just-in-time interventions for cookie
events
 Difficult to tell which are actually
important to a user
Prototype – cont
 Instead of interrupting current work with
decisions, give peripheral notification
 Users can then identify themselves which events
are important and need their attention
 Cookie information box displays currently
set cookies on side of browser area
 Color and formatting in cookie information
dialog box make cookies easier to identify
 3rd party cookies in red
 Long cookie expiration durations bolded
 Cookie expiration durations for current session
in italics
User Study
 Increased awareness of cookie events
 More likely to respond to cookie
events
 More likely to make cookie
management actions
Web Browser Privacy
 Making decisions about the tradeoff of
privacy and functionality
 Most automated methods make mistakes
when compared to actual user
preferences
 Asking the user every time is annoying
 They will stop paying attention and make
mistakes themselves
 Who is better equipped to make the
decision? The user or the browser
Doppelganger
 Doppelganger: Better Browser Privacy
Without the Bother
 More fun with cookies!
 When deciding to accept a cookie or not,
users would like to compare the privacy
cost to the functionality benefit but are ill
equipped to do so
 Doppelganger aims to assist the user in
making these decisions and learn and make
simple generalizations of these rules to
remove later instances of repeated prompts
Goals
 Create a cookie policy that
 Protects privacy
 Maintains functionality
 Doesn’t hassle the user
 Doppelganger
 Firefox extension
 Mirrors session in hidden window
 Detects differences in sessions
Doppelganger
 Maintains “forked” session
 If there is no detected difference, cookies
are assumed to have no benefit and are
ignored
 If there is a difference, present it to the
user, give them information relevant to the
cookie and let them decide to accept or
reject
 Now has information necessary to make
informed functionality vs. privacy decision
Doppelganger
 “Fix Me” button for user-initiated repair
 Attempts to rewind and replay sequence of
actions with cookies on
 Needed incase no difference was detected and
cookies were automatically rejected
 Learns policies per domain
 Configuration modes allow for automatic
acceptance of 1st party session cookies
 Other modes allow for different trade off of
privacy and intrusiveness
Evaluation
 Simulated User
 Willing to give up privacy at some sites
 Yahoo!, Netflix, GMail
 Not willing to give up privacy at sites which they had
no relationship
 CNN, PCMagazine, etc
 5 Conditions
 All cookies enabled
 Reject 3rd party cookies
 Reject 3rd party cookies + Reject persistent cookies
 Ask user for every cookie
 Doppelganger
Measurements
 Number of sites whose cookies were
accepted
 Grouped by persistence and context
 Doesn’t directly measure privacy loss
 Inconveniences suffered by user
 Dialog boxes and prompts
 Lost functionality
 Looking for low values both times
 Set of common tasks was repeated three
times
Results
 Doppelganger had the best fit for accepted
cookies vs. lost functionality
 More prompts than the conditions that never
prompt
 Fewer prompts than the condition that always
prompts
 After the 2nd visit to any given site, no further
prompts were required for any of the test scripts
 After navigating prompts, there was no lost
functionality
 Required use of “Fix Me” button once upon
returning to a site that needed a persistent
cookie for functionality
Alternatives
 Most browsers allow users only very
coarse-grained control
 Allowing or blocking all cookies by category
 Session, 3rd party, All
 Allowing too many has negative privacy
implications
 Blocking too many has negative
functionality implications
 There are ways around the 3rd party blocks
 Redirect links
 IFrames
Alternatives – cont
 Many existing extensions and addons to
enhance cookie management






Cookie Button
Cookie Toggle
Permit Cookies
Add N Edit Cookies
Cookie Culler
View Cookies
 But they still focus on the low level task of
cookie management
Alternatives – cont
 Acumen
 Social Approaches to End-User Privacy
Management – Chapter 25
 Social Recommendations
 Simple threshold rules
 Makes some steps in the right direction
to move action away from low level tasks
Firefox Extensions
164 Extensions in the Security and
Privacy Section at mozilla.org
Site Identity
Site Identity
Privacy
Privacy
Why Extensions?
 Why aren’t these built into the default
behavior of browsers?
 Chances are, users won’t take the proactive
action required of going out to acquire these
tools
 Highest risk users likely not aware of their
existence
 They all make tradeoffs
 User effort
 Distractions
 Blocking use of often-abused functionality
 But potentially useful functionality
Summary
 Interesting questions arise with technology
that trades off privacy for functionality
 What is the best way to give users a good level
of control over this
 The less a tool requires of the user, the
more effective it is
 Can often make better decisions than the user
 User will avoid repetitive decision making tasks
Discussion
 What do you think?
 Firefox and the Worry-free Web –
Chapter 28
 Do it for them
 When there are functionality
tradeoffs, it is often not clear what to
do
Activity
 Group discussion
 What do you think is the right amount of
interaction for cookie management?
 Does it work for everyone?
 Would you use it yourself?
 Would a novice computer user be able to
use it?