Google is paying bug bounties. This is important; there’s a market in vulnerabilities that provides incentives for their being kept secret and exploitable; for Google to buy and patch them makes us all more secure.
The U.S. government should do the same.
Posted on May 1, 2013 at 1:58 PM •
Interesting discussion on browser security from Communications of the ACM. Also, an article on browser and web privacy from the same issue.
Posted on March 7, 2013 at 6:45 AM •
Last week, a story broke about how Nokia mounts man-in-the-middle attacks against secure browser sessions.
The Finnish phone giant has since admitted that it decrypts secure data that passes through HTTPS connections — including social networking accounts, online banking, email and other secure sessions — in order to compress the data and speed up the loading of Web pages.
The basic problem is that https sessions are opaque as they travel through the network. That’s the point — it’s more secure — but it also means that the network can’t do anything about them. They can’t be compressed, cached, or otherwise optimized. They can’t be rendered remotely. They can’t be inspected for security vulnerabilities. All the network can do is transmit the data back and forth.
But in our cloud-centric world, it makes more and more sense to process web data in the cloud. Nokia isn’t alone here. Opera’s mobile browser performs all sorts of optimizations on web pages before they are sent over the air to your smart phone. Amazon does the same thing with browsing on the Kindle. MobileScope, a really good smart-phone security application, performs the same sort of man-in-the-middle attack against https sessions to detect and prevent data leakage. I think Umbrella does as well. Nokia’s mistake was that they did it without telling anyone. With appropriate consent, it’s perfectly reasonable for most people and organizations to give both performance and security companies that ability to decrypt and re-encrypt https sessions — at least most of the time.
This is an area where security concerns are butting up against other issues. Nokia’s answer, which is basically “trust us, we’re not looking at your data,” is going to increasingly be the norm.
Posted on January 17, 2013 at 9:50 AM •
Ghostery is a Firefox plug-in that tracks who is tracking your browsing habits in cyberspace. Here’s a TED talk by Gary Kovacs, the CEO of Mozilla Corp., on it.
I use AdBlock Plus, and dump my cookies whenever I close Firefox. Should I switch to Ghostery? What do other people do for web privacy?
Posted on June 6, 2012 at 9:36 AM •
An analysis of extensions to the Chrome browser shows that 25% of them are insecure:
We reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web sites may be evil or contain malicious content from users or advertisers. Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.
Posted on September 29, 2011 at 7:07 AM •
It’s the Browser Exploit Against SSL/TLS Tool, or BEAST:
Using the known text blocks, BEAST can then use information collected to decrypt the target’s AES-encrypted requests, including encrypted cookies, and then hijack the no-longer secure connection. That decryption happens slowly, however; BEAST currently needs sessions of at least a half-hour to break cookies using keys over 1,000 characters long.
The attack, according to Duong, is capable of intercepting sessions with PayPal and other services that still use TLS 1.0which would be most secure sites, since follow-on versions of TLS aren’t yet supported in most browsers or Web server implementations.
While Rizzo and Duong believe BEAST is the first attack against SSL 3.0 that decrypts HTTPS requests, the vulnerability that BEAST exploits is well-known; BT chief security technology officer Bruce Schneier and UC Berkeley’s David Wagner pointed out in a 1999 analysis of SSL 3.0 that “SSL will provide a lot of known plain-text to the eavesdropper, but there seems to be no better alternative.” And TLS’s vulnerability to man-in-the middle attacks was made public in 2009. The IETF’s TLS Working Group published a fix for the problem, but the fix is unsupported by SSL.
EDITED TO ADD: Good analysis.
Posted on September 23, 2011 at 1:37 PM •
A couple of weeks ago Wired reported the discovery of a new, undeletable, web cookie:
Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded — even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.
The Wired article was very short on specifics, so I waited until one of the researchers — Ashkan Soltani — wrote up more details. He finally did, in a quite technical essay:
Posted on August 15, 2011 at 4:48 AM •
The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.
When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form with the account and routing numbers for a bank account the attacker controls.
Posted on August 8, 2011 at 12:47 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.