Hardening Web Browsers Against ManintheMiddle and Eavesdropping Attacks

1
Hardening Web Browsers Against Man-in-the-Middle
and EavesdroppingAttacks

• Hsin-Chen Chiao
• 06/22/05

2
Introduction

• Web browser is an important application.
• There are also a lot of technologies for securing
  Web applications.
• The usability of these securing technologies
  receives surprisingly little attention.
• They are either difficult to learn or prone to
  misuse.

3
Three Questions

• How likely is it that an attack against the
  applications will succeed?
• Is it possible to foolproof Web browsers, such
  that they can be used securely even by untrained
  computer-literate users?
• Can education about the relevant security
  principles, attacks, and tools improve the
  security of how users browse the Web?

4
Man-In-The-Middle Attacks
5
Man-In-The-Middle Attacks
Eavesdropping, Modify, Disorder etc.
6
Password Attack
7
Conventional Certificate Verification
CA
Get Public Key
Certificate
Encrypt PubS
Decrypt PriS
Encrypt PubC
Decrypt PriC
8
What Current Browsers Do

• Current browsers allow users override certificate
  verification

9
Man-In-The-Middle Attacks
Encrypt PubM
Decrypt PriM
Encrypt PubS
Decrypt PriS
Encrypt PubC
Decrypt PriC
Encrypt PubM
Decrypt PriM
10
Why Certificate Verification Fail

• Three main causes
• The browser may not know the public key of the CA
  that issued the servers certificate.
• The issuers or the servers certificate may be
  expired.
• The server may have presented a certificate whose
  common name field does not match the servers
  fully qualified domain name.

11
Context-Sensitive Certificate Verification
12
Specific Password Warnings
13
Just-In-Time Instruction

• JITI gives the user information at a critical
  point of processing some tasks.
• Shortcomings
• Non-specialists usually do not understand
• JITI messages may not disclose possible
  consequences of users decisions
• JITI messages usually do not tell users how to
  overcome security errors
• Result bringing in the Warn and Continue (WC)
  interfaces

14
GWO and GO

• CSCV Guidance Without Override
• SPW Guidance With Override

15
Well-In-Advance Instruction

• JITIs main problem is that it leaves instruction
  to the last minute while Whitten argues that user
  interfaces should teach necessary security
  concepts before the user actually needs them.

16
Staged Web-Of-Trust (SWOT)

• Email agent Lime
• Stage 1 Sending secret email to people the user
  has already personally met and traded keys with
• Stage 2 Sending secret email to anyone without
  certification, but not very important email
• Stage 3 No functional or data restriction

17
Staged PKI Client (SPKIC)

• Stage 1 Learning the knowledge about certificate
  (how)
• Stage 2 Learning about MITM and eavesdropping
  attacks (why)
• Stage 3 Using unmodified IE to visit a variety
  of sites because the user is assumed to have the
  knowledge necessary to behave safely

18
Experiment

• 17 mail CS undergraduates
• User Study 1 IE 6.0
• User Study 2 Firebird 0.6.1 (with CSCV and SPW)
• User Study 3 IE 6.0
• First Site Earning reward points
• HTTPS service, Certificate does not set up on
  machines, but can be reached
• Second Site Purchasing something
• HTTPS service, Certificate is bogus
• Third Site Getting confirmation emails
• HTTP service

19
Scoring Strategies

• 0 if a user accessed a site despite lack of
  security
• 50 if a user simply did not visit the site
  insecurely in the first site
• 100 if the user obtained and installed the
  certification and then accessed the server in the
  first site, or simply did not visit the second
  and third site

20
Experiment Result