Presentation is loading. Please wait.

Presentation is loading. Please wait.

Browser Security Evaluation IE6 vs. IE7 vs. Firefox 3.0 Gowri Kanugovi.

Similar presentations


Presentation on theme: "Browser Security Evaluation IE6 vs. IE7 vs. Firefox 3.0 Gowri Kanugovi."— Presentation transcript:

1 Browser Security Evaluation IE6 vs. IE7 vs. Firefox 3.0 Gowri Kanugovi

2 Internet Explorer  Security model is zone based  Websites are grouped into a whitelist or blacklist  Security restrictions are applied on per-zone basis

3 Internet Explorer (cont..)  IE6 is the most vulnerable browser to date having about 172 vulnerabilities as per 2009 report by Secunia  Main reason for this is that it runs in the same level of privilege as the logged in user  Hence, any malware executed will have that users privileges. What if the user is the admin??  Active X content is one of the biggest security holes in IE  Another reason could just be the ubiquity of IE usage  IE7 on the other hand is more secure. When used on Vista, the Privileged Mode runs it with lower privileges than the logged in user  ActiveX opt-in blocks can block ActiveX content to be run  Phishing filter helps protect against phishing attacks

4 Mozilla Firefox  Firefox uses Sandbox Security model  In the sense the scripts, any executables (or malware) will be isolated from the system in case of any attack  This way the browser environment is restricted to predefined privileges  Secunia has reported 46 bugs in Firefox as of 2009

5 Evaluation I: Phishing  Phishing is the attempt to acquire sensitive information such as usernames, passwords, credit card information from users by posing as a legitimate entity in electronic communication.  Most common targets are banks and online services like eBay, Paypal. It is a form of social engineering exploit technique  An Eg: You may receive an email saying your bank account is suspended and needs to be reactivated by providing some personal details. It will usually say “Click here to activate”  Close examination will reveal that the url will redirect to a website which may have nothing to do with the original website!  Browsers play a major role is protecting the users against phishing attacks. We will see how each of them behave  To carry out the experiments, I obtained reported phishing sites from Phishtank.com. I took a Paypal phished website

6 IE6: Phishing  IE6 has not built-in protection against phishing, and redirects the user to the phished website without any warning.  URL is jkvisa.com! Has nothing to do with paypal

7 IE7: Phishing  Phishing filter in IE7 recognizes two types of websites: Suspected phishing sites and Known phishing sites  When the same website is visited through IE7, the result is as below  Basically provides protection in three ways: Built-in filter, an online service and a reporting mechanism

8 Mozilla Firefox 3.0  Firefox provides phishing protection by checking the website against a list of reported phishing site. This list is stored in the browser and is updated every 30 min  This kind of update is what is absent in IE7  Not only does it protect against phishing, it also provides malware protection, which is now integrated into IE8

9 Result: Evaluation 1  IE6 no filter at all  IE7 provides a phishing filter, though the default setting of it on the browser is “turn-off”  Firefox has a better protection among the three browsers  Results of a test conducted by Mozilla ( http://www.mozilla.org/security/phishing-test.html) : 1040 urls totalFirefoxIE7 243 instancesblockeddid not block 117 instancesdid not blockblocked 543 instancesblocked 66 instancesdid not block

10 Evaluation 2: Man in the Middle  MitM attack exploits the usage of old/wrong certificates by users  When a user visits a website through a secure connection, the web browser checks to see if the certificate of that website if valid  In case it isn’t and the user still goes ahead and accesses the websites or sends information to the website, then he is a victim of MitM and all his data could be eavesdropped  Authenticity of the certificate has three main criteria: valid date, valid name matching the name of the website and a CA whom you trust  List of trusted CAs is stored in the browser, but should the user trust the CAs trusted by the browser?  Which CA gets into the browser’s trust list? The one paying more, is that good enough reason for you to trust the CA?  Moreover, looking back at the list of CAs stored in Firefox reveals that one of the trusted CA still uses a 512-bit RSA key! Also, the CA Baltimore which is on the trust list, sold its PKI business in 2003  So should the user trust the browser? Or should he add his own trusted CAs into the browser?  The answer I would say, depends on how important speaking to the server is for the user.

11 IE6: MiTM  When I try to establish a secure connection with a website whose signer is not among the trusted CAs on the browser, IE6 yielded  One would argue this as a fair amount of security, but what is the goal of a casual surfer? To just access the website.  On the internet most of the users will say “Yes” and continue.

12 IE7: MiTM  When the same connection was established with IE7, the bad certificate error was shown  If the user ignores this warning, he is redirected to the website, but the status bar would still say “Error Certificate”

13 Firefox: MiTM  Firefox too blocked the navigation and displayed the error message  The message “The Certificate is not trusted…”, implies that the signer is not among the trusted CAs, warning the user of a possible impersonation  As opposed to IE7, the user cannot simple continue to the website without importing the certificate into the browser first. Is this a better approach?

14 Result  All of the browsers implement some protection against MiTM, IE6 is very inefficient though  The fact that Firefox is blocking the navigation completely until the certificate is imported adds more security value into it  Should the users manually import the CAs whom they trust?  The answer would be, does the user have the expertise? Is it feasible to do so? How important is security for him?

15 Evaluation 3: Password Stealing  Browsers have this incredible ability to store passwords for users  It sure is very helpful for the user, but how useful is it to the attacker? Very useful  Users store passwords of even their financial institutions on browsers, the attacker just needs access to this file  Freely available tools called “stealers” achieve the same. The attacker attaches the executable to some program and launch it and transfer all the stolen passwords into his own FTP server  These stealer go undetected by most of the AVs

16 IE6: Password Stealing  The IE Pass View is the tool used to retrieve passwords from IE  When launched, it returns all the stored password like below  This is a very dangerous vulnerability and could be exploited very easily  Just by attaching the exe to any program downloaded off the internet, bit-torrents mostly, the attacker can get access to all the passwords on the user’s browser

17 IE7: Password Stealing  When the same program was run against IE7, it yielded the same results!  IE7 is a newer, more secure browser, so it surprises me why no protection is taken against such a simple attack

18 Firefox: Password Stealing  In Firefox, there is the concept of a “Master Password”, which when set encrypts the passwords stored by the browser with the master password acting as key  Thus when a program like the stealer tries to steal passwords from the browser, the browser first asks for the master secret to be entered, and thus ruining the goal of the attacker  However, when not set, it is as vulnerable as IE, resulting in the following

19 Result: Password Stealing  IE has no protection against stealer and gives out the passwords to the attacker  Firefox has incorporated some security with the help of a “Master Password”, but it relies on the user setting it  Without a master secret, Firefox is as vulnerable as IE

20 Conclusion  Browsers are the window to the web  Securing the browser is highly important since it has access to some of your most sensitive data  While making choice of the browser you wish to use, consider security as one of the main aspects


Download ppt "Browser Security Evaluation IE6 vs. IE7 vs. Firefox 3.0 Gowri Kanugovi."

Similar presentations


Ads by Google