Web Browser Privacy and Security - CUPS

hotbroodΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

64 εμφανίσεις

Web Browser Privacy and
Security

Part II

Outline


Overview


Browser Privacy and Security Research


HCISec Bibliography


Trusted Paths for Browsers


Zishuang Ye, Sean Smith, Denise Anthony


Informed Consent in the Mozilla Browser:
Implementing Value
-
Sensitive Design


Batya Friedman, Daniel C Howe, Edward Felten


Doppelganger: Better Browser Privacy Without the
Bother


Umesh Shankar, Chris Karlof


Discussion and Activity

Overview


The web browser serves as a doorway to
the Internet for much of a typical user’s
online activity


Browsers have the potential to impact on
the privacy and security of any action they
are used to complete


Some of the most interesting areas are
where there is no clear cut answer


Technology that has functionally beneficial uses
but gives up something in return


Can (or should) these decisions be automated?


Web Browsers and Online Privacy


Common privacy concerns come up when
simply browsing the web


Sometimes, users are getting something in
return for the loss of privacy


Personal information given to websites (creating
accounts/completing real world transactions)


Cookies (remember usernames/preferences)


Other times, no value is returned to the user for
their loss of privacy


Tracking cookies


Web bugs


Traffic logs

Cookies


Because cookies can be used
beneficially, disallowing their use is
not an acceptable solution


People claim to want the browser to
seek their consent before giving up
information in this manner


Asking every time is too intrusive and
annoying, and leads to users clicking
through without paying attention

Problems with Cookie Management


Accept/Reject decision is not clear in
all cases


Because the perceived risks are low,
very little action can be required on
the part of the user or they will
simply avoid using the tool


Two proposed solutions later

Web Bugs and Traffic Logs


Loading of remote image that doesn’t
impact visual layout of page


Set 3
rd

party cookie


Remote server can log event of image load
even if cookie is rejected


However, there are lots of cases where we
want our browsers to load images and
display them to us


Can be difficult to tell when this action is
beneficial and when it isn’t

Web Browsers and Online Security


Confidentiality


You should be able to exchange data
with the server without an eavesdropper
being able to intercept it


Integrity


No third
-
party should be able to modify
or corrupt your communications with the
server


You must be able to correctly identify
the server you are interacting with

Web Browsers and Online Security


Browsers provide common tools
enabling users to interact with remote
servers in a secure fashion


Encrypted sessions (SSL)


Signed Certificates


However, the browser must then
communicate about these tools to the
end user

Trusted Path for Web Browsing


Trusted Path


From the remote web server to the user


Malicious websites or third party
attackers should not be able to use your
browser to trick you


Many common indicators needed to
establish the identity of the server can
be spoofed



Certificates


Talked a lot about signed certificates
as an important part of creating a
Trusted Path to the user


Goals


Confidentiality and Integrity


Establishes identity of remote server


Does it accomplish these goals?


Tuesday’s lecture

Web Browser Security


Trusted Paths for Browsers


Evaluation of browser methods for
establishing a trusted path to the
user


Ability to masquerade as a site with a
different identity


Ability to “spoof” the existence of a SSL
connection

Misleading website identity in
browsers


Malicious sites trying to use a forged
identity are often related to phishing
attacks


Simple impersonation attacks in the URL
itself


www.paypai.com


http://www.bloomberg.com@1234567/


From a technical standpoint, there is
nothing wrong with these addresses, yet
they are intended to mislead

Misleading website identity in
browsers


More elaborate impersonation attacks are
also possible using JavaScript


Link appears to go to one site, but goes to
another instead


New window with standard toolbars disabled,
replaced with spoofed ones displaying inaccurate
information


Imposter site with JavaScript created interface
elements looks very similar to legitimate site


Again, all technically legitimate JavaScript
commands, used with the intention of
misleading the user

Why does this work


Browsers don’t make enough of a
distinction between site content and
browser status information


A clear distinction needs to exist


Users need to be able to easily perceive
this difference


Status information should never be empty


Status elements should be difficult to
impersonate

Approaches


No Turnoff


Make it impossible to disable elements
such as the location and status bars


Overly restrictive of site display


Customized Content


Clearly label status material by using
customized styles or information that
would be difficult to spoof


Requires some effort from user


May not be noticed

Approaches


cont


Metadata Titles


Push some important status data into
the window title bar where it is more
difficult to modify


Would users notice?


Still vulnerable to window in window


Metadata Windows


Separate dedicated window for metadata


Easy to Ignore


Difficult to correlate with content elements


Approaches


cont


Boundaries


Use large colored boundaries to indicate
“trusted” status information from the
browser


Window in window


Compartmented Mode Workstation
-
Style Approach


Uses combination of metadata windows
and boundaries

Prototype


Separate metadata window always open


Displays color matching the security level of
the focus window


Color mismatch of spoofed window will
warn users


Synchronized random dynamic borders
switch all windows between inset and
outset shading styles at once to further
make window in window spoofs easier to
identify

Prototype


cont


All windows labeled


Colored boundaries are easy to
recognize


Minimal user work required


Minimal level of intrusiveness,
content unaffected


Modified version of Mozilla browser

User Study


Security signal was noticeable and
easy to learn to understand


Presence of the reference window
made it easier to observe the
synchronization


Dynamic boundaries much easier to
notice than static ones


Displaying security signals without
requiring user action is more reliable

Value
-
Sensitive Design


Informed Consent in the Mozilla Browser:
Implementing Value
-
Sensitive Design


Shares work with
Informed Consent by
Design



Chapter 24


Many sites collecting information about
users do not explicitly inform them that
they are doing so


Your browser is implicitly giving consent on
your behalf when accepting cookies

Informed Consent


88% of users expressed that they wanted
sites to explicitly get their consent


Elements of Informed Consent


Disclosure


Comprehension


Voluntariness


Competence


Agreement


Minimal Distraction

Minimal Distraction


Why is this important?


If overwhelmed with queries with low
perceived benefits and risks, attention to
each will become low


After some threshold, users will simply
seek to disable the mechanism to avoid
the annoyances it presents


In either of these cases, it is impossible
to maintain the other 5 properties

Prototype


Iterative design, rapid prototyping,
user evaluations


Enhancements to cookie manager
tool


Additional cookie information


Just
-
in
-
time interventions for cookie
events


Difficult to tell which are actually
important to a user

Prototype


cont


Instead of interrupting current work with
decisions, give peripheral notification


Users can then identify themselves which events
are important and need their attention


Cookie information box displays currently
set cookies on side of browser area


Color and formatting in cookie information
dialog box make cookies easier to identify


3
rd

party cookies in
red


Long cookie expiration durations
bolded


Cookie expiration durations for current session
in
italics

User Study


Increased awareness of cookie events


More likely to respond to cookie
events


More likely to make cookie
management actions

Web Browser Privacy


Making decisions about the tradeoff
of privacy and functionality


Most automated methods make mistakes
when compared to actual user
preferences


Asking the user every time is annoying


They will stop paying attention and make
mistakes themselves


Who is better equipped to make the
decision? The user or the browser

Doppelganger


Doppelganger: Better Browser Privacy
Without the Bother


More fun with cookies!


When deciding to accept a cookie or not,
users would like to compare the privacy
cost to the functionality benefit but are ill
equipped to do so


Doppelganger aims to assist the user in
making these decisions and learn and make
simple generalizations of these rules to
remove later instances of repeated prompts

Goals


Create a cookie policy that


Protects privacy


Maintains functionality


Doesn’t hassle the user


Doppelganger


Firefox extension


Mirrors session in hidden window


Detects differences in sessions

Doppelganger


Maintains “forked” session


If there is no detected difference, cookies
are assumed to have no benefit and are
ignored


If there is a difference, present it to the
user, give them information relevant to the
cookie and let them decide to accept or
reject


Now has information necessary to make
informed functionality vs. privacy decision

Doppelganger


“Fix Me” button for user
-
initiated repair


Attempts to rewind and replay sequence of
actions with cookies on


Needed incase no difference was detected and
cookies were automatically rejected


Learns policies per domain


Configuration modes allow for automatic
acceptance of 1
st

party session cookies


Other modes allow for different trade off of
privacy and intrusiveness

Evaluation


Simulated User


Willing to give up privacy at some sites


Yahoo!, Netflix, GMail


Not willing to give up privacy at sites which they had
no relationship


CNN, PCMagazine, etc


5 Conditions


All cookies enabled


Reject 3
rd

party cookies


Reject 3
rd

party cookies + Reject persistent cookies


Ask user for every cookie


Doppelganger

Measurements


Number of sites whose cookies were
accepted


Grouped by persistence and context


Doesn’t directly measure privacy loss


Inconveniences suffered by user


Dialog boxes and prompts


Lost functionality


Looking for low values both times


Set of common tasks was repeated three
times

Results


Doppelganger had the best fit for accepted
cookies vs. lost functionality


More prompts than the conditions that never
prompt


Fewer prompts than the condition that always
prompts


After the 2
nd

visit to any given site, no further
prompts were required for any of the test scripts


After navigating prompts, there was no lost
functionality


Required use of “Fix Me” button once upon
returning to a site that needed a persistent
cookie for functionality


Alternatives


Most browsers allow users only very
coarse
-
grained control


Allowing or blocking all cookies by category


Session, 3
rd

party, All


Allowing too many has negative privacy
implications


Blocking too many has negative
functionality implications


There are ways around the 3
rd

party blocks


Redirect links


IFrames

Alternatives


cont


Many existing extensions and addons to
enhance cookie management


Cookie Button


Cookie Toggle


Permit Cookies


Add N Edit Cookies


Cookie Culler


View Cookies


But they still focus on the low level task of
cookie management

Alternatives


cont


Acumen


Social Approaches to End
-
User Privacy
Management



Chapter 25


Social Recommendations


Simple threshold rules


Makes some steps in the right direction
to move action away from low level tasks

Firefox Extensions

164 Extensions in the Security and
Privacy Section at mozilla.org


Site Identity


Site Identity


Privacy


Privacy


Why Extensions?


Why aren’t these built into the default
behavior of browsers?


Chances are, users won’t take the proactive
action required of going out to acquire these
tools


Highest risk users likely not aware of their
existence


They all make tradeoffs


User effort


Distractions


Blocking use of often
-
abused functionality


But potentially useful functionality

Summary


Interesting questions arise with technology
that trades off privacy for functionality


What is the best way to give users a good level
of control over this


The less a tool requires of the user, the
more effective it is


Can often make better decisions than the user


User will avoid repetitive decision making tasks

Discussion


What do you think?


Firefox and the Worry
-
free Web



Chapter 28


Do it for them


When there are functionality
tradeoffs, it is often not clear what to
do

Activity


Group discussion


What do you think is the right amount of
interaction for cookie management?


Does it work for everyone?


Would you use it yourself?


Would a novice computer user be able to
use it?