[Infowarrior] - Breaking Web Browsers' Trust

Fri May 22 14:49:15 UTC 2009

(Amusingly, a friend and I wrote about this very thing several years  
ago in a CACM article. --rick)

Thursday, May 21, 2009
Breaking Web Browsers' Trust
Researchers reveal a flaw with the way most Web browsers treat secure  
connections.
By Erica Naone

http://www.technologyreview.com/printer_friendly_article.aspx?id=22682&channel=web&section=

Making Internet communications secure means shutting off ways for an  
unauthorized person to access secret information. This is easier said  
than done.

In work presented this week at the IEEE Symposium on Security and  
Privacy, a team of researchers described a former flaw with almost all  
Web browsers that undermined the protocol used to secure online  
banking transactions and other sensitive transmissions. The problem  
arose when the victim was connected to the Internet via a proxy, such  
as a wireless access point at a hotel or cafe.

Although the researchers completed their work in July 2007, they kept  
the details secret to allow time to fix vulnerable browsers and test  
newer ones. The researchers say that they were able to successfully  
attack Internet Explorer 7 and 8, Firefox 2 and 3, Opera 9, and Chrome  
Beta and 1. The near-universal nature of the vulnerability suggests  
that better methods are needed to protect browser communications.

"It's very difficult to figure out the composition of all these end-to- 
end crypto protocols, which are at different layers of the network,"  
says Shuo Chen, a researcher at Microsoft who helped uncover the  
vulnerability.

The protocol used to secure browser messages is based on a simple  
idea, Chen says: it's meant to establish a secure link between the  
user's browser and a Web server and distrust any points in between.  
However, because the browser often needs to trust the broader network,  
weak spots can creep in, he says.

Chen's group uncovered a problem with the way Web browsers display  
information from Web pages when a secure communications link has been  
established. They found that most browsers will sometimes treat  
insecure data as if it's part of the secure protocol. This means that  
a Web proxy--a machine sitting in between the browser and a website-- 
can issue commands that the browser interprets as coming from a secure  
website, even if they are not. "In reality, it's very difficult to  
make sure that you are using a trusted network," he says.

For example, when a browser requests access to a secure website, the  
proxy could return a fake error message that the browser displays as  
genuine. The browser could then be tricked into sending secure  
messages to both the legitimate server and the malicious proxy.

Adam Barth, a researcher at the University of California, Berkeley,  
who studies browser security, says that the newly revealed flaw is  
significant because several browsers contained the same vulnerability.  
"That demonstrates that the issue is subtle," Barth says. "A lot of  
smart people missed it." He adds that since a browser is a complex  
system of interlocking parts, it could be useful to investigate tools  
that could help people analyze how data moves through those parts.  
Such tools might help catch similar errors in browser design.

Barth also says that Web standards would have mandated more secure  
behavior if experts had looked at the issue more carefully.

Though the specific problem that Chen's team found was fixed, Chen is  
still concerned about the methods used to build browsers. Normally, he  
says, the group of developers that figures out how a browser will  
display pages works separately from the group that implements a secure  
communications protocol. Chen thinks the Web community should think  
more carefully about the way different parts of the browser are put  
together. "It's difficult for the whole browser-development effort to  
have the whole picture," he says.