1Web Browser SecurityJohn MitchellCS 155 April 19, 2005Course Schedule Projects• Project 1: Assigned April 7, Due April 21 • Project 2: Assign April 21, Due May 5 • Project 3: Assign May 12, Due June 2 No Late Days Homework• HW 1: Assigned April 14, Due April 28 • HW 2: Assign April 28, Due May 12 • HW 3: Assign May 19, Due June 2 No Late DaysAll assign/due dates are Thursdays (see calendar on web)June 2 is “automatic one-week extension from May 26”Browser and NetworkBrowserNetwork Browser sends requests• May reveal private information (in forms, cookies) Browser receives information, code• May corrupt state by running unsafe code Interaction susceptible to network attacks• Consider network security later in the courseOSHardwareWeb siterequestreplyMicrosoft Issues New IE Browser Security PatchBy Richard Karpinski• Microsoft has released a security patch that closes some major holes in its Internet Explorer browser • The so-called "cumulative patch" fixes six different IE problems ...• Affected browsers include Internet Explorer 5.01, 5.5 and 6.0. • Microsoft rated the potential security breaches as "critical." Tuesday, February 12, 2002Feb 2002 patch addresses: • A buffer overrun associated with an HTML directive ... Hackers could use this breach to run malicious code on a user's system. • A scripting vulnerability that would let an attacker read files on a user's systems. • A vulnerability related to the display of file names ... Hackers could … misrepresent the name of a file ... and trick a user into downloading an unsafe file. • A vulnerability that would allow a Web page to improperly invoke an application installed on a user's system to open a file on a Web site. • …more …MS announced 20 vulnerabilities on April 13, 2004 !!!And then again this year, …Windows Security Updates Summary for April 2005Published: April 12, 2005A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.2Browser Security Checkhttp://www.verisign.com/advisor/check.htmlWhat kind of security are they checking?More informative test sitehttp://browsercheck.qualys.com/• Cookie Disclosure• Clipboard Reading• Program Execution • File Execution • Web Page Spoofing • Security Zone Spoofing • Hard Drive AccessBrowser security topics HTTP review Controlling outgoing information• Cookies– Cookie mechanism, JunkBuster• Routing privacy– Anonymizer, Crowds• Privacy policy – P3P Risks from incoming executable code• JavaScript• ActiveX• Plug-ins• JavaHyperText Transfer ProtocolUsed to request and return data • Methods: GET, POST, HEAD, …Stateless request/response protocol• Each request is independent of previous requests• Statelessness has a significant impact on design and implementation of applications Evolution• HTTP 1.0: simple • HTTP 1.1: more complexHTTPGET /default.asp HTTP/1.0Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Connection: Keep-AliveIf-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMTHTTP RequestMethod File HTTP version HeadersData – none for GETBlank lineHTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTContent-Length: 2543<HTML> Some data... blah, blah, blah </HTML>HTTP ResponseHTTP version Status code Reason phraseHeadersData3HTTP Server Status CodesDescriptionCodeInternal Server Error500Not Found404Forbidden – not authorized403Unauthorized401Bad Request – not understood400Moved Temporarily302Moved Permanently301Created201OK200 Return code 401• Used to indicate HTTP authorization• HTTP authorization has serious problems!!!Primitive Browser Sessionwww.e_buy.comwww.e_buy.com/shopping.cfm?pID=269View Catalogwww.e_buy.com/shopping.cfm?pID=269&item1=102030405www.e_buy.com/checkout.cfm?pID=269&item1=102030405Check outSelect ItemStore session information in URL; Easily read on networkStore info across sessions?Cookies• A cookie is a file created by an Internet site to store information on your computerBrowserServerEnters form dataStores cookieBrowserServerRequests cookieReturns dataHttp is stateless protocol; cookies add stateBrowser Cookie ManagementCookie Ownership• Once a cookie is saved on your computer, only the Web site that created the cookie can read it.Variations• Temporary cookies– Stored until you quit your browser• Persistent cookies– Remain until deleted or expire• Third-party cookies– Originates on or sent to another Web siteThird-Party CookiesYahoo! Privacy Center• Yahoo! sends most of the advertisements you see • However, we also allow … third-party ad servers …to serve advertisements • Because your web browser must request these …from the ad network web site, these companies can send their own cookies to your cookie file ... • Opting Out of Third-Party Ad Servers– “If you want to prevent a third-party ad server from sending and reading cookies on your computer, currently you must visit each ad network's web site individually and opt out (if they offer this capability).”Example: Mortgage Center<html><title>Mortgage Center</title><body>… http://www.loanweb.com/ad.asp?RLID=0b70at1ep0k9What’s this?4Cookie issues• Cookies maintain record of your browsing habits– Cookie stores information as set of name/value pairs– May include any information a web site knows about you– Sites track your activity from multiple visits to site• Sites can share this information (e.g., DoubleClick)– Sites using DoubleClick place small graphic that causes user to request page from DoubleClick(see previous slide)– DoubleClick uses cookies to identify you on various sitesSite can generate user ID from its own cookie and pass to DoubleClick or other site in the URL• Browser attacks could invade your “privacy”08 Nov 2001Users of Microsoft's browser and e-mail programs could be vulnerable to having their browser cookies stolen or modified due to a new security bug in Internet Explorer (IE), the company warned today.Managing cookie policy via
View Full Document
Unlocking...