Web Browser Privacy and Security
Download
Report
Transcript Web Browser Privacy and Security
Web Browser Privacy and
Security
Part II
Outline
Overview
Browser Privacy and Security Research
HCISec Bibliography
Trusted Paths for Browsers
Zishuang Ye, Sean Smith, Denise Anthony
Informed Consent in the Mozilla Browser:
Implementing Value-Sensitive Design
Batya Friedman, Daniel C Howe, Edward Felten
Doppelganger: Better Browser Privacy Without the
Bother
Umesh Shankar, Chris Karlof
Discussion and Activity
Overview
The web browser serves as a doorway to
the Internet for much of a typical user’s
online activity
Browsers have the potential to impact on
the privacy and security of any action they
are used to complete
Some of the most interesting areas are
where there is no clear cut answer
Technology that has functionally beneficial uses
but gives up something in return
Can (or should) these decisions be automated?
Web Browsers and Online Privacy
Common privacy concerns come up when
simply browsing the web
Sometimes, users are getting something in
return for the loss of privacy
Personal information given to websites (creating
accounts/completing real world transactions)
Cookies (remember usernames/preferences)
Other times, no value is returned to the user for
their loss of privacy
Tracking cookies
Web bugs
Traffic logs
Cookies
Because cookies can be used
beneficially, disallowing their use is
not an acceptable solution
People claim to want the browser to
seek their consent before giving up
information in this manner
Asking every time is too intrusive and
annoying, and leads to users clicking
through without paying attention
Problems with Cookie Management
Accept/Reject decision is not clear in
all cases
Because the perceived risks are low,
very little action can be required on
the part of the user or they will
simply avoid using the tool
Two proposed solutions later
Web Bugs and Traffic Logs
Loading of remote image that doesn’t
impact visual layout of page
Set 3rd party cookie
Remote server can log event of image load
even if cookie is rejected
However, there are lots of cases where we
want our browsers to load images and
display them to us
Can be difficult to tell when this action is
beneficial and when it isn’t
Web Browsers and Online Security
Confidentiality
You should be able to exchange data
with the server without an eavesdropper
being able to intercept it
Integrity
No third-party should be able to modify
or corrupt your communications with the
server
You must be able to correctly identify
the server you are interacting with
Web Browsers and Online Security
Browsers provide common tools
enabling users to interact with remote
servers in a secure fashion
Encrypted sessions (SSL)
Signed Certificates
However, the browser must then
communicate about these tools to the
end user
Trusted Path for Web Browsing
Trusted Path
From the remote web server to the user
Malicious websites or third party
attackers should not be able to use your
browser to trick you
Many common indicators needed to
establish the identity of the server can
be spoofed
Certificates
Talked a lot about signed certificates
as an important part of creating a
Trusted Path to the user
Goals
Confidentiality and Integrity
Establishes identity of remote server
Does it accomplish these goals?
Tuesday’s lecture
Web Browser Security
Trusted Paths for Browsers
Evaluation of browser methods for
establishing a trusted path to the
user
Ability to masquerade as a site with a
different identity
Ability to “spoof” the existence of a SSL
connection
Misleading website identity in
browsers
Malicious sites trying to use a forged
identity are often related to phishing
attacks
Simple impersonation attacks in the URL
itself
www.paypai.com
http://www.bloomberg.com@1234567/
From a technical standpoint, there is
nothing wrong with these addresses, yet
they are intended to mislead
Misleading website identity in
browsers
More elaborate impersonation attacks are
also possible using JavaScript
Link appears to go to one site, but goes to
another instead
New window with standard toolbars disabled,
replaced with spoofed ones displaying inaccurate
information
Imposter site with JavaScript created interface
elements looks very similar to legitimate site
Again, all technically legitimate JavaScript
commands, used with the intention of
misleading the user
Why does this work
Browsers don’t make enough of a
distinction between site content and
browser status information
A clear distinction needs to exist
Users need to be able to easily perceive
this difference
Status information should never be empty
Status elements should be difficult to
impersonate
Approaches
No Turnoff
Make it impossible to disable elements
such as the location and status bars
Overly restrictive of site display
Customized Content
Clearly label status material by using
customized styles or information that
would be difficult to spoof
Requires some effort from user
May not be noticed
Approaches – cont
Metadata Titles
Push some important status data into
the window title bar where it is more
difficult to modify
Would users notice?
Still vulnerable to window in window
Metadata Windows
Separate dedicated window for metadata
Easy to Ignore
Difficult to correlate with content elements
Approaches – cont
Boundaries
Use large colored boundaries to indicate
“trusted” status information from the
browser
Window in window
Compartmented Mode Workstation Style Approach
Uses combination of metadata windows
and boundaries
Prototype
Separate metadata window always open
Displays color matching the security level of
the focus window
Color mismatch of spoofed window will
warn users
Synchronized random dynamic borders
switch all windows between inset and
outset shading styles at once to further
make window in window spoofs easier to
identify
Prototype – cont
All windows labeled
Colored boundaries are easy to
recognize
Minimal user work required
Minimal level of intrusiveness,
content unaffected
Modified version of Mozilla browser
User Study
Security signal was noticeable and
easy to learn to understand
Presence of the reference window
made it easier to observe the
synchronization
Dynamic boundaries much easier to
notice than static ones
Displaying security signals without
requiring user action is more reliable
Value-Sensitive Design
Informed Consent in the Mozilla Browser:
Implementing Value-Sensitive Design
Shares work with Informed Consent by
Design – Chapter 24
Many sites collecting information about
users do not explicitly inform them that
they are doing so
Your browser is implicitly giving consent on
your behalf when accepting cookies
Informed Consent
88% of users expressed that they wanted
sites to explicitly get their consent
Elements of Informed Consent
Disclosure
Comprehension
Voluntariness
Competence
Agreement
Minimal Distraction
Minimal Distraction
Why is this important?
If overwhelmed with queries with low
perceived benefits and risks, attention to
each will become low
After some threshold, users will simply
seek to disable the mechanism to avoid
the annoyances it presents
In either of these cases, it is impossible
to maintain the other 5 properties
Prototype
Iterative design, rapid prototyping,
user evaluations
Enhancements to cookie manager
tool
Additional cookie information
Just-in-time interventions for cookie
events
Difficult to tell which are actually
important to a user
Prototype – cont
Instead of interrupting current work with
decisions, give peripheral notification
Users can then identify themselves which events
are important and need their attention
Cookie information box displays currently
set cookies on side of browser area
Color and formatting in cookie information
dialog box make cookies easier to identify
3rd party cookies in red
Long cookie expiration durations bolded
Cookie expiration durations for current session
in italics
User Study
Increased awareness of cookie events
More likely to respond to cookie
events
More likely to make cookie
management actions
Web Browser Privacy
Making decisions about the tradeoff of
privacy and functionality
Most automated methods make mistakes
when compared to actual user
preferences
Asking the user every time is annoying
They will stop paying attention and make
mistakes themselves
Who is better equipped to make the
decision? The user or the browser
Doppelganger
Doppelganger: Better Browser Privacy
Without the Bother
More fun with cookies!
When deciding to accept a cookie or not,
users would like to compare the privacy
cost to the functionality benefit but are ill
equipped to do so
Doppelganger aims to assist the user in
making these decisions and learn and make
simple generalizations of these rules to
remove later instances of repeated prompts
Goals
Create a cookie policy that
Protects privacy
Maintains functionality
Doesn’t hassle the user
Doppelganger
Firefox extension
Mirrors session in hidden window
Detects differences in sessions
Doppelganger
Maintains “forked” session
If there is no detected difference, cookies
are assumed to have no benefit and are
ignored
If there is a difference, present it to the
user, give them information relevant to the
cookie and let them decide to accept or
reject
Now has information necessary to make
informed functionality vs. privacy decision
Doppelganger
“Fix Me” button for user-initiated repair
Attempts to rewind and replay sequence of
actions with cookies on
Needed incase no difference was detected and
cookies were automatically rejected
Learns policies per domain
Configuration modes allow for automatic
acceptance of 1st party session cookies
Other modes allow for different trade off of
privacy and intrusiveness
Evaluation
Simulated User
Willing to give up privacy at some sites
Yahoo!, Netflix, GMail
Not willing to give up privacy at sites which they had
no relationship
CNN, PCMagazine, etc
5 Conditions
All cookies enabled
Reject 3rd party cookies
Reject 3rd party cookies + Reject persistent cookies
Ask user for every cookie
Doppelganger
Measurements
Number of sites whose cookies were
accepted
Grouped by persistence and context
Doesn’t directly measure privacy loss
Inconveniences suffered by user
Dialog boxes and prompts
Lost functionality
Looking for low values both times
Set of common tasks was repeated three
times
Results
Doppelganger had the best fit for accepted
cookies vs. lost functionality
More prompts than the conditions that never
prompt
Fewer prompts than the condition that always
prompts
After the 2nd visit to any given site, no further
prompts were required for any of the test scripts
After navigating prompts, there was no lost
functionality
Required use of “Fix Me” button once upon
returning to a site that needed a persistent
cookie for functionality
Alternatives
Most browsers allow users only very
coarse-grained control
Allowing or blocking all cookies by category
Session, 3rd party, All
Allowing too many has negative privacy
implications
Blocking too many has negative
functionality implications
There are ways around the 3rd party blocks
Redirect links
IFrames
Alternatives – cont
Many existing extensions and addons to
enhance cookie management
Cookie Button
Cookie Toggle
Permit Cookies
Add N Edit Cookies
Cookie Culler
View Cookies
But they still focus on the low level task of
cookie management
Alternatives – cont
Acumen
Social Approaches to End-User Privacy
Management – Chapter 25
Social Recommendations
Simple threshold rules
Makes some steps in the right direction
to move action away from low level tasks
Firefox Extensions
164 Extensions in the Security and
Privacy Section at mozilla.org
Site Identity
Site Identity
Privacy
Privacy
Why Extensions?
Why aren’t these built into the default
behavior of browsers?
Chances are, users won’t take the proactive
action required of going out to acquire these
tools
Highest risk users likely not aware of their
existence
They all make tradeoffs
User effort
Distractions
Blocking use of often-abused functionality
But potentially useful functionality
Summary
Interesting questions arise with technology
that trades off privacy for functionality
What is the best way to give users a good level
of control over this
The less a tool requires of the user, the
more effective it is
Can often make better decisions than the user
User will avoid repetitive decision making tasks
Discussion
What do you think?
Firefox and the Worry-free Web –
Chapter 28
Do it for them
When there are functionality
tradeoffs, it is often not clear what to
do
Activity
Group discussion
What do you think is the right amount of
interaction for cookie management?
Does it work for everyone?
Would you use it yourself?
Would a novice computer user be able to
use it?