Embed Size (px)
Citation preview
Browser Security Evaluation
IE6 vs. IE7 vs. Firefox 3.0
Gowri Kanugovi <gk2263>
Internet Explorer Security model is zone based Websites are grouped into a whitelist or
blacklist Security restrictions are applied on per-zone
basis
Internet Explorer (cont..) IE6 is the most vulnerable browser to date having about 172
vulnerabilities as per 2009 report by Secunia Main reason for this is that it runs in the same level of privilege
as the logged in user Hence, any malware executed will have that users privileges.
What if the user is the admin?? Active X content is one of the biggest security holes in IE Another reason could just be the ubiquity of IE usage IE7 on the other hand is more secure. When used on Vista, the
Privileged Mode runs it with lower privileges than the logged in user
ActiveX opt-in blocks can block ActiveX content to be run Phishing filter helps protect against phishing attacks
Mozilla Firefox Firefox uses Sandbox Security model In the sense the scripts, any executables (or
malware) will be isolated from the system in case of any attack
This way the browser environment is restricted to predefined privileges
Secunia has reported 46 bugs in Firefox as of 2009
Evaluation I: Phishing Phishing is the attempt to acquire sensitive information such as
usernames, passwords, credit card information from users by posing as a legitimate entity in electronic communication.
Most common targets are banks and online services like eBay, Paypal. It is a form of social engineering exploit technique
An Eg: You may receive an email saying your bank account is suspended and needs to be reactivated by providing some personal details. It will usually say “Click here to activate”
Close examination will reveal that the url will redirect to a website which may have nothing to do with the original website!
Browsers play a major role is protecting the users against phishing attacks. We will see how each of them behave
To carry out the experiments, I obtained reported phishing sites from Phishtank.com. I took a Paypal phished website
IE6: Phishing IE6 has not built-in protection against phishing, and redirects
the user to the phished website without any warning. URL is jkvisa.com! Has nothing to do with paypal
IE7: Phishing Phishing filter in IE7 recognizes two types of websites:
Suspected phishing sites and Known phishing sites When the same website is visited through IE7, the result is as
below Basically provides protection in three ways: Built-in filter, an
online service and a reporting mechanism
Mozilla Firefox 3.0 Firefox provides phishing protection by checking the website
against a list of reported phishing site. This list is stored in the browser and is updated every 30 min
This kind of update is what is absent in IE7 Not only does it protect against phishing, it also provides
malware protection, which is now integrated into IE8
Result: Evaluation 1 IE6 no filter at all IE7 provides a phishing filter, though the default setting of it on
the browser is “turn-off” Firefox has a better protection among the three browsers Results of a test conducted by Mozilla
(http://www.mozilla.org/security/phishing-test.html):
1040 urls total Firefox IE7
243 instances blocked did not block
117 instances did not block blocked
543 instances blocked blocked
66 instances did not block did not block
Evaluation 2: Man in the Middle MitM attack exploits the usage of old/wrong certificates by users When a user visits a website through a secure connection, the web
browser checks to see if the certificate of that website if valid In case it isn’t and the user still goes ahead and accesses the websites
or sends information to the website, then he is a victim of MitM and all his data could be eavesdropped
Authenticity of the certificate has three main criteria: valid date, valid name matching the name of the website and a CA whom you trust
List of trusted CAs is stored in the browser, but should the user trust the CAs trusted by the browser?
Which CA gets into the browser’s trust list? The one paying more, is that good enough reason for you to trust the CA?
Moreover, looking back at the list of CAs stored in Firefox reveals that one of the trusted CA still uses a 512-bit RSA key! Also, the CA Baltimore which is on the trust list, sold its PKI business in 2003
So should the user trust the browser? Or should he add his own trusted CAs into the browser?
The answer I would say, depends on how important speaking to the server is for the user.
IE6: MiTM When I try to establish a secure connection with a website whose
signer is not among the trusted CAs on the browser, IE6 yielded One would argue this as a fair amount of security, but what is the
goal of a casual surfer? To just access the website. On the internet most of the users will say “Yes” and continue.
IE7: MiTM When the same connection was established with IE7, the bad
certificate error was shown If the user ignores this warning, he is redirected to the website, but
the status bar would still say “Error Certificate”
Firefox: MiTM Firefox too blocked the navigation and displayed the error message The message “The Certificate is not trusted…”, implies that the signer is not
among the trusted CAs, warning the user of a possible impersonation As opposed to IE7, the user cannot simple continue to the website without
importing the certificate into the browser first. Is this a better approach?
Result All of the browsers implement some
protection against MiTM, IE6 is very inefficient though
The fact that Firefox is blocking the navigation completely until the certificate is imported adds more security value into it
Should the users manually import the CAs whom they trust?
The answer would be, does the user have the expertise? Is it feasible to do so? How important is security for him?
Evaluation 3: Password Stealing Browsers have this incredible ability to store
passwords for users It sure is very helpful for the user, but how useful is it
to the attacker? Very useful Users store passwords of even their financial
institutions on browsers, the attacker just needs access to this file
Freely available tools called “stealers” achieve the same. The attacker attaches the executable to some program and launch it and transfer all the stolen passwords into his own FTP server
These stealer go undetected by most of the AVs
IE6: Password Stealing The IE Pass View is the tool used to retrieve passwords from IE When launched, it returns all the stored password like below This is a very dangerous vulnerability and could be exploited
very easily Just by attaching the exe to any program downloaded off the
internet, bit-torrents mostly, the attacker can get access to all the passwords on the user’s browser
IE7: Password Stealing When the same program was run against IE7, it
yielded the same results! IE7 is a newer, more secure browser, so it surprises
me why no protection is taken against such a simple attack
Firefox: Password Stealing In Firefox, there is the concept of a “Master Password”, which
when set encrypts the passwords stored by the browser with the master password acting as key
Thus when a program like the stealer tries to steal passwords from the browser, the browser first asks for the master secret to be entered, and thus ruining the goal of the attacker
However, when not set, it is as vulnerable as IE, resulting in the following
Result: Password Stealing IE has no protection against stealer
and gives out the passwords to the attacker
Firefox has incorporated some security with the help of a “Master Password”, but it relies on the user setting it
Without a master secret, Firefox is as vulnerable as IE
Conclusion
Browsers are the window to the web Securing the browser is highly
important since it has access to some of your most sensitive data
While making choice of the browser you wish to use, consider security as one of the main aspects
