Tuesday, March 4, 2014

Beware – Your user agent could be a double agent!



Even though there were many interesting talks at the RSA 2014 conference in San Francisco, including a few discussing the recent NSA-RSA privacy drama, I chose to blog about a short talk by Mike Shema from Qualys centering around security and privacy on the web.

In his talk, Mike highlighted the difference between having a secure browser and secure date. Basically, every day we use web browsers (known as user agents since they interact on behalf of the user) to access the web. Many websites rely on the collection of users' data to generate their revenue and thus as users access websites, those websites interact with users' browsers behind the scene not always necessarily the way the users want.

Many vendors offer big money prizes to help them identify and mitigate security vulnerabilities in their browsers. Although there have been many recent initiatives towards making browsers more secure, including the advent of HTML5, we still have not reached what we consider default stands for privacy. Vendors have conflicting perspectives regarding not tracking users on the web. The implementation of the recently proposed “Do Not Track” HTTP header is one obvious example. Internet Explorer suggested that the default value of such a field should be set to enabled so that tracking is prevented by default unless the user decides to opt in. On the other hand, Google Chrome had a different point of view. Advertisers also thought such a feature would impact their business.

Constantly, different security features are added to browsers to make them more secure. As well as self updates, among other things, such features include: process separation and sand boxing. Informally, the former allows different tabs/web pages to be run as separate processes, whereas the latter limits access to user's resources on per-application basis. As an example, latest versions of Google Chrome embed Flash on its own.

There are many ways one can envision metrics used in evaluating browsers' and data security or assessing whether one browser is more secure than another or if a data set is more private than another. On the one hand, there are Malwares (short for malicious software) which attack browsers directly. On the other hand, we have attacks like resources framing, Clickjacking and Cross-Site Request Forgery (CSRF). CSRF (sometimes is also abbreviated as XSRF) allows an attacker to force the victim to send HTTP requests to another target website and therefore making use of any capabilities the victim has with the target website, e.g. exploiting an existing authenticated session that the victim has with the target website. Recently, Mozilla and Safari turned on TLS 1.1/TLS 1.2 and are using the recommended cipher suite by default to promote network encryption which is vital for data security.

Many web pages these days are built with multiple origins and their content comes from different sources. Advertising, in particular, is inherently cross-origin. It was not until about 10 years ago that the risks of mixing different contents from multiple origins in a web page came into the fore.
Even though the Same Origin Policy used by browsers ensures that a resource cannot read a response from another origin, it still does not provide proper isolation of cookies and resources across different origins and thus it does not rule out CSRFs. More precisely, the same origin policy does not stop a resource from one origin from making a request to another one from a different origin.

By ensuring that websites use SSL (Secure Socket Layer) as emphasized by the Electronic Frontier Foundation (EFF) in its “HTTPS Everywhere” initiative, many security vulnerabilities such as mixed content and information leakage can be prevented. However, there have been examples of many browsers (especially on mobile devices) which ran HTTPs but still was vulnerable because they were skipping important steps such as certificate validation.

In order to enhance users' data privacy, many potential solutions could be implemented. One important step is to impose penalties on servers which do not honour the Do Not Track requests made by the user. Another possible countermeasure is using data pollution where, for instance, users can swap their cookies such as Google PREF IDs or Double-Click cookies in order to achieve anonymity.

In summary, there a number of ways which could help preserve users' privacy on the web. Firstly, enabling “deny third party” cookies as a default as done by Safari. Secondly, using identity management and separating cookie jars in order to ensure that the interaction of a user with one website is independent from their interaction with another one.

No comments:

Post a Comment