Web Browser Developers Work Together on Security

JRiddell writes "Security developers for the four major browsers recently met together to discuss Web security. The meeting, hosted by Konqueror's George Staikos, looked at future plans to combat the security risks posed by phishing, ageing encryption ciphers and inconsistent SSL Certificate practise. IE 7 is one of the first browsers to implement some of the ideas discussed such as colour coding location bars and an anti-phishing database." From the article: "The first topic and the easiest to agree upon is the weakening state of current crypto standards. With the availability of bot nets and massively distributed computing, current encryption standards are showing their age. Prompted by Opera, we are moving towards the removal of SSLv2 from our browsers. IE will disable SSLv2 in version 7 and it has been completely removed in the KDE 4 source tree already."

Don't use self-signed certs.

[LostCluster]

I've seen several site operators let their sites sit with SSL warning boxes because they insist on using a self-issued SSL certificate instead of paying for a major brand name label.

Most of the time, this isn't exposed to customers, but employees of the organization are trained to ignore the "This certificate was not issued by a trusted authority," warnings, and I fear such people will take away that that box with all of its technobabble is one they should ignore at all times. That box is a last line of defense against an encrypted connection that isn't trustworthy... and I think this is a step forward to the point where browsers will refuse to give SSL encryption without SSL authentication succeeding.

Re:Don't use self-signed certs.

[LostCluster]

But how do you know that you didn't get the hacker site on day 1 and the real site on day 2? Without some authentication protocol being followed, you're not secure. Sure, there's no way you're being intercepted when you're talking to the site, but you don't know what's on the other end of the line.

Re:Don't use self-signed certs.

[pthisis]

The same way you do with SSH or PGP. You verify the fingerprint, which you received by some other channel secure enough for your purposes. That could be simply over the phone from someone whose CallerID and voice you recognize or could be a trusted courier with a locked case. It could even be IM if you're just testing how to set up SSL certs and don't really care if this one is secure or not since you're going to wipe it for a real one later.

People have been doing it for years.

It's not a good general purpose solution for the uneducated, but forcing people who know what they're doing to outsource key management is equally poor. Ideally the browser messages would be along the lines of SSH.

1. Warn you when the key is unknown and ask you to verify the fingerprint. Perhaps require you to enter the print (type it in) to use a self-signed key.
2. Refuse to connect if the key has changed.

Other scenarios (expired key, etc) require some thought and local policy decisions.

You know what would really help...

[Godeke]

Stop coding in C/C++ when the product will be exposed to external, uncontrolled inputs. Java, .NET, Parrot... I don't really care what gets used, but it has been clear that despite the constant "C++ using the proper string libraries is as secure as virtual machines and interpreters" cries that those who actually wield the language to make products like browsers are still failing to secure against the most basic and common flaw: the buffer overflow. Browsing web pages is *not* the kind of thing that requires "bare to the metal" coding. Yes, such a browser might be vulnerable to attacks on the virtual machine itself... but a quick look at the browsers security history verses virtual machine security histories makes it clear that is a tradeoff worth making.

Re:You know what would really help...

[Dan_Bercell]

As the speed of computers and VMs grow the resource issue will fade away.

I am not saying this will happen soon, but when you purchase a home PC from Dell and it comes with a base configuraton of a 64bit processor and a 2gig mem chip I doubt the cost of even the slow Java VM would make much of a difference to the avg user.

C will probably never die though, what else are we susposed to write those OSs and VMs with? :)

Re:You know what would really help...

Try the SessionSaver extension.

It stores the state of the browser when it's shut down, or when it crashes, including all open tabs, the position you were at on the page, and even the content of forms. I've had it nicely recover from my entire system locking up (dodgy video card drivers), and it certainly can manage Firefox itself crashing. Not that it's done that on my system in a very, very long time.

Microsoft participation

[mustafap]

It's nice to see Microsoft participating in the event. I was surprised; I didn't think they sat round tables with open source developers. Does this happen in other areas of development?

confusing color shemes

[c_fel]

I see on the screenshots that IE7 is gonna use a yellow location bar to indicate a suspicious web site. Ironically, in Firefox, that same color indicates a secured site. I'm sure somebody will be fooled someday...

Free market self-regulation

[dada21]

I'm happy to see that we're looking at an important part of a free competitive market: voluntary cooperation for better competitive products.

The security enhancements we'll see that come out of these (and future) discussions will help all users yet also increase competitiveness in other areas. We didn't need a Congress or government body to force regulations, they're occurring out of customer need.

Note that government could create regulations but we all know that those regulations come too late and can never adapt to current and future ever-changing needs.

I read a great article today about the historical growth of the Net because of the lack of regulations and taxes.

Confusion

[fishybell]

Maybe it's just me, but an even bigger problem arises out of color coding the address bar: Confusion.

Many users have significant problems when anything changes in their computer experience; my father for example. I tried moving him over to Firefox so that he could stay away from spyware et al, but he couldn't make the move because he couldn't navigate the user interface anymore. This man is no dullard either. He taught me to program when I was 8, has a PhD in (if I remember correctly) biology, pharmacology, or physics, teacheds microbiology, and is an associate dean at world-class university. For all of his smarts, he has had problems with computers ever since he was weened off of DOS and onto Windows 3.1. After many years of training he's finally to the point where he can work successfully in an evironment as long as nothing ever changes.

Skip ahead to Windows XP service pack 2. Automatic updates are now on. He's been trained to allow the updates to happen, but only after I get a phone call asking me if they're ok. Unfortunately, updating sometimes means that I have to spend an hour or so teaching how to burn cds, how to switch between home/work networks, how to play music, etc. at regular intervals. I rue Microsoft not for their lax security (well, not just for their lax security), but for their ever present desire to "upgrade" their interfaces to make them "easier."

At his work they upgrade computers relatively often. The day will come when he will have to call me each time he goes to a website with the "wrong" color.

Encryption is not the problem

[Agelmar]

I've seen a number of posts about encryption being the problem. It's not. Yes, it is possible to crack some older algorithms with distributed botnets, yes, self-signed certificates pose a problem, but no, these are not the real problems. The real problems facing users (by this I mean the problems causing financial damage to consumers and companies) come from attacking the user and his/her environment, not attacking the encryption. When was the last time you saw someone brute-forcing the decryption of a session, with the purpose of obtaining the user's information? This makes great stuff for movies where we're tyring to crack into an Evil Foreign Government or an ultra-sophisticated criminal, but in real life this is not the threat.

The threats that browsers need to address is the fact that their *users* and their user's *environments* are being attacked. Phishing attacks don't target weak encryption protocols. Heck, most don't even bother setting up an SSL-enabled phishing site, because people don't look for encrypted sessions in general. Phishing attacks target the user by attempting to fool the person into believing that they are at the actual site. Ask yourself - would your mother know that chase-online-banking.com is not the real address for Chase's online system? (Phishing trends show that phishers are increasingly using name-based attacks, as opposed to an IP-based URL).

As for attacking the environment, keyloggers and malware in general are exploding in popularity. Again, this is not a problem with the encryption protocols used for securing sessions, rather it's the user's environment being attacked. One must remember that browsers don't run in a vacuum - they have a user and an environment. Using 256-bit AES encryption is great, nifty, and cool, but if my mother's computer has a keylogger installed and I decide to do some e-banking while visiting for the holidays, well then I've got a problem.

People need to re-evaluate security in the context of which these applications are run, and stop thinking that simply increasing keylength or swapping cipher algorithms will solve the problem. It won't. Our problem is that security isn't usable, it isn't intuitave, and untill we make it so we will continue to have these problems.

Phishing database really efficient?

[Misagon]

I read a study recently that most phishing web sites don't live longer than a week...
A database of unimportant entries is not going to do any good.
I figure that Microsoft will have to keep a staff of around a dozen people day and night checking out each one of these flagged URLs as soon as the URLs come in, or otherwise it is not going to be very effective.

Re:Phishing database really efficient?

[Agelmar]

You're actually a bit off in your timeline, in that 'average' is really a poor [misleading] statistic to use for this. The data is extremely bimodal. For phishing sites hosted by ISPs in the U.S. that are reported on a weekday other than Friday during business hours and/or name-based attacks (registering a domain that looks like a legitimate domain), the average turnaround is around 40 hours. For phishing sites first reported and/or launched on a Friday afternoon, and hosted in China, Singapore, or certain other countries, and/or name-based attacks with domains registered through small, sometimes less-than-responsive registrars, you can easily be talking five days or more.

With that said, if you are proactive and/or are paying people to watch out for your corporate identity, you may be able to spot phishing attacks on the 30-minute timeframe. The difference in being able to respond in 30 minutes by calling MS and having them add a site to a blacklist is significant when compared to waiting 2-5 days. You are essentially reducing the survivability of sites with respect to a very large number of users by orders of magnitude.

And yes, Microsoft will have a staff of people (they wouldn't tell me exactly how many) that are monitoring this blacklist. They also have a set of heuristics that they use, but I think the blacklist may be the most effective. Remember, for a company the size of Microsoft, hiring (as you estimate) about 12 people (who do not need to be extremely savvy, and can therefore be minimally paid) is not at all infeasible.