1 / 56

Web browser privacy and security (I)

Web browser privacy and security (I). March 21 st , 2006 Ricardo Villamarin-Salomon. Outline. Web Browser In security Informed Consent by Design Hardening Web Browsers Against Man in the Middle and Eavesdropping Attacks Participation. Web Browser Insecurity.

hayden
Download Presentation

Web browser privacy and security (I)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web browser privacy and security (I) March 21st, 2006 Ricardo Villamarin-Salomon

  2. Outline • Web Browser Insecurity • Informed Consent by Design • Hardening Web Browsers Against Man in the Middleand Eavesdropping Attacks • Participation

  3. Web Browser Insecurity • Targeted attacks on Web applications and Web browsers are increasingly becoming the focal point for cyber criminals. • Traditional attack activity : motivated by curiosity and a desire to show off technical virtuosity • Current threats are motivated by profit: identity theft, extortion, and fraud, for financial gain.

  4. Source: secunia.com Date: 2006-March-19 Original Idea: ZDNet.com Revision & Update (March 2006): me Worry-free web?

  5. Web Browser vulnerabilities, vendor confirmed Source: Symantec Internet Security Threat Report (Vol. IX)

  6. Web Browser vulnerabilities, confirmed & non-confirmed by vendor Source: Symantec Internet Security Threat Report (Vol. IX)

  7. Some Common Vulnerabilities (CERT) • ActiveX Controls • Java applets (bypassing of sandbox’s restrictions) • Cross-Site Scripting (mainly faults of web sites) • e.g, http://host.com/modules.php?op=modload&name=XForum&file=[hostilejavascript]&fid=2 • Cross-Zone and Cross-Domain Vulnerabilities • Prevention of a web site from accessing data in a different domain (or zone) is broken • Malicious Scripting, Active Content, and HTML • SpoofingAs it relates to web browsers, spoofing is a term used to describe methods of faking various parts of the browser user interface.

  8. Informed Consent for Information Systems Batya Friedman, Peyina Lin, and Jessica K. Miller

  9. Value Sensitive Design • Design of Information and Computer Systems that accounts for human values • Value Sensitive Design is an interactional theory • In general, we don’t view values as inherent in a given technology • However, we also don’t view a technology as value-neutral • Rather, some technologies are more suitable than others for supporting given values • Key task of VSD: Investigate these “value suitabilities” (along with what values and whose values) © Batya Friedman 2003

  10. VSD’s Tripartite Methodology • Conceptual investigations • Philosophically informed analyses of the values and value conflicts involved in the system • Technical investigations • Identify existing or develop new technical mechanisms; investigate their suitability to support or not support the values we wish to further • Empirical investigations • Using techniques from the social sciences, investigate issues such as: Who are the stakeholders? Which values are important to them? How do they prioritize these values? • These are applied iteratively and integratively © Batya Friedman 2003

  11. Direct and Indirect Stakeholders • Direct stakeholders: Interact with the system being designed and its outputs • Indirect stakeholders: Don’t interact directly with the system, but are affected by it in significant ways © Batya Friedman 2003

  12. Disclosure Comprehension Voluntariness Competence Agreement Minimal Distraction Model of Informed Consent for Information Systems

  13. NS 3.04 Cookie Warning Dialog Box

  14. NS 4.03 Cookie Settings

  15. IE 4.0 Cookie Warning Dialog Box

  16. IE 5.0 Custom Cookie Settings

  17. The Unique Role of the Web Browser • Browser software mediates communication between a client (typically an end user) and a server • After a remote site has exercised a capability, the Web browser software has no control over what the remote site does with the information or other actions that the site may take.

  18. The Unique Role of the Web Browser • With respect to Information Consent • Disclosure: • Whether the user is notified about a server request • Harms / Benefits? • Comprehension: (to a large extent) • Controls the content of the notification (if any) • Agreement: • User’s opportunity to agree/decline to place a cookie (prompting) • Ongoing : how to withdraw from agreement (obscure locations)?

  19. The Unique Role of the Web Browser • With respect to Information Consent • Minimal distraction • IE: acceptance/declination of third party cookies by the user (one by one) • Voluntariness? • Browser or Website? • Competence (cookies)? • Browser or Website?

  20. Design Goals • Enhance users’ local understanding of cookie events as the events occur with minimal distraction to the user • Preset agreement policy that applies to all cookies of a specified type • Minimizes user distraction at the expense of rote decision-making, disclosure and comprehension • Explicitly accept or decline each cookie one at a time • Supports the criterion of disclosure but at the expense of extreme distraction • Middle ground?

  21. Design Goals • Enhance users’ global understanding of the common uses of cookie technology • Including potential benefits and risks associated with those uses • A necessary piece of disclosure and comprehension

  22. Design Goals • Enhance users’ ability to manage cookies • Particularly with respect to the easy viewing of cookie information and on-going control over the lifetime and removal of cookies. • Agreement is ongoing: the user had no easy means (1999 browser technology) to remove the previously set cookies and thereby revoke consent • Achieve design goals 1, 2 and 3 while minimizing distraction for the user

  23. © Batya Friedman 2003

  24. © Batya Friedman 2003

  25. © Batya Friedman 2003

  26. © Batya Friedman 2003

  27. © Batya Friedman 2003

  28. Renamed to “Cookie-Panel” • https://addons.mozilla.org/extensions/moreinfo.php?id=1375

  29. Secure Connections • Informing through interaction Design

  30. Secure Connections: Different Evidences • … we turn the entire address bar a bright shade of yellow at secure sites • It's impossible to miss; • the connection with the page “is clear” because it highlights the page address; • and it's “obvious” what it means because it's punctuated by a large lock • - Blake Ross.. Firefox For a suspicious(!) site, the Address bar turns yellow and displays a warning label but still allows data entry IE 7 Beta

  31. Secure Connections: Your opinion? No encryption Secure Connection(Certificate is OK) “Secure” Connection(Problem with Certificate) Fits in the status bar (IE 6)

  32. GMail: Questions related to Informed Consent • Machines reading personal content • … a privacy violation concerns the act of intrusion upon the self, independent of the state of mind (or knowledge) of the intruder- Edward Bloustein • Spam filters? • Indirect stakeholders • targeted advertisements should not be allowed without the consent of all parties involved in an email exchange. Gmail does not obtain the consent of the email sender.How? • Automatic reply: once (the first time) and for all make the sender agree with Gmail TOS (something similar to mailblocks.com for verifying that an email was sent by a human)

  33. Hardening Web Browsers Against Man in the Middleand Eavesdropping Attacks Haidong Xia and Jose Carlos Brustoloni

  34. Usability of Web Browser security • Man-In-The-Middle (MITM) attacks • Eavesdropping attacks • Several tools available

  35. Man-In-The-Middle (MITM) attacks • The public keys of major CAs (e.g., Verisign) are embedded in many client applications (e.g.,Web browsers).

  36. Common sources of Ct. verification failure • The browser may not know the public key of the CA that issued the server’s certificate • Internal web server (only by members of the organization) • Own CA: public key installed in browser (no verification errors) • Large number of users / User owned computer • Issuer’s or the server’s certificate may be expired

  37. Common sources of Ct. verification failure • Server may have presented a certificate whose common name field does not match the server’s fully qualified domain name • Attacker can use his own identity with a CA generated certificate • Attacker may have stolen the Ct. (along with the private key) • Mismatches at subdomain level not very risky (unless a very sophisticated attack is mounted) • Allow user to proceed • Other cases more serious • Ch. 28

  38. Common sources of Ct. verification failure

  39. Common sources of Ct. verification failure

  40. Context Sensitive Certificate Verification • Clarify the relationship between the user and the server’s (non verified) certificate • Not giving the user override mechanisms • Distribute signed certificates of the internal servers out of band • Take advantage of typically unused Ct’s fields: • CA’s contact information (field: issuer alternative name) • CA administrator’s name, address, telephone and fax numbers, and work hours.

  41. Context Sensitive Certificate Verification

  42. Specific Passwords Warnings • Helps prevent eavesdropping • Allow overriding

  43. Specific Passwords Warnings

  44. Specific Passwords Warnings

  45. User Studies • Computer literate users (CLU) • Evaluate: • Likelihood of successful attack in representative security-sensitive Web applications • Possibility of “foolproofing” web browsers, so they can be used securely even by untrained CLUs • Can education about the relevant security principles, attacks, and tools improve the security of how users browse the Web? • Note: This last hypothesis is not covered in this presentation

  46. Study’s Design • 17 participants (majors from Pitt’s CS department) • Two studies: • Unmodified browser (IE) • Modified Mozilla Firebird 0.6.1 with CSCV and SPW • No feedback given between these two studies

More Related