unprotectedfavicon

ABrowser-BasedDistributedSystemfortheDetectionofHTTPSStrippingAttacksagainstWebPagesMarcoPrandiniandMarcoRamilliUniversit`adiBologna,DEIS,VialedelRisorgimento2,40136Bologna,Italy{marco.
prandini,marco.
ramilli}@unibo.
itAbstract.
HTTPSstrippingattacksleverageacombinationofweakcongura-tionchoicestotrickusersintoprovidingsensitivedatathroughhijackedconnec-tions.
Herewepresentabrowserextensionthathelpswebuserstodetectthiskindofintegrityandauthenticitybreaches,byextractingrelevantfeaturesfromthebrowsedpagesandcomparingthemtoreferencevaluescomingfromdiffer-entsortsoftrustedsources.
Therationalebehindtheextensionisdiscussedanditseffectivenessisdemonstratedwithsomequantitativeresults,gatheredontheprototypethathasbeenimplementedforMozillaFirefox.
Keywords:HTTPSstripping,Peer-to-peer,Browserplugin.
1IntroductionStealingsensitivedatafromusersisoneofthemostcommontargetspursuedbyattack-ersontheWeb.
Therearemanywaystolureusersintoprovidingtheirdataoverthewrongconnection,leadingtotheattacker'sserverinsteadofthelegitimateone.
Even-tually,thewidespreadusageofHTTPSseemedliketheultimateweaponagainstthiskindofhijacking.
However,theverysuccessofHTTPSbackredasmanyhigh-trafcwebsitesstaggeredunderthecomputationalloadassociatedwithservingeverypagethroughanencryptedconnection.
Thisleadsomesitestoadoptatrade-offsolution,foreseeingtheusageofHTTPSonlyfortheconnectionsinvolvingthetransmissionofsensitivedata.
However,thelackofintegrityprotectionforthepagecontainingthelinkforthesubmissionopensacrackthatanattackercanleveragetocompromisethewholetransaction.
Thispaperillustratesamethodforsolvingthisproblembasedonabrowserextension.
Inthefollowing,section2detailstheattack;section3outlinesthedesignprinciplesoftheproposedcountermeasure;section4describestheextensionimplementationasaMozillaFirefoxplugin;nallysection5drawsconclusions.
2AnalysisoftheAttackLet'sassumethecommonscenarioinwhichauseronaclienthost(CH)wantstoestab-lishasecuretransactionwithaWebserveronaserverhost(SH).
GiventhatCHandSHmustexchangedataonthenetwork,aManInTheMiddle(MITM)attackispossibleiftheattackerhost(ATH),bymeansofskillfulmanipulationofnetworkdevices,becomesagatewayforthetrafcstream.
TheattackerinterceptsthetrafcfromthesourceandD.
Gritzalis,S.
Furnell,andM.
Theoharidou(Eds.
):SEC2012,IFIPAICT376,pp.
549–554,2012.
cIFIPInternationalFederationforInformationProcessing2012550M.
PrandiniandM.
Ramilli'()(*$**#$&0122123452126552122'')-*7(8)*9-'*,-'(%&)-:+5-35-+(8(8)*+5-'(*$*#$&0122124942124942122'')-*'(0.
)7(8(8()8;"$-,((8(8>5212,352122'')-*(8((Fig.
1.
Screenshotoftheloginboxonthehomepageofabank.
Notice(a)thatthepageisservedonHTTP,(b)thegraphicssuggestingasecureloginprocess,and(c)theunderlyingHTMLcode,whichsendsdataonHTTPS,thatis,aslongasaMITMattackdoesnotmodifyit.
forwardsittothedestination(andviceversa),preservingtheillusionofCHandSHofbeingconnectedthroughanunalteredchannel,butatthesametimebeingabletomodifymessagesandinsertnewones.
Whilethisisnotacompletelytrivialfeat,therearesoundreasonstoworryaboutthispossibility,iftheattackerisonthesamenetworkofthevictimbutalsoifheisinaremotelocation,duetotheinsecuredefaultcong-urationofmanyhomeaccessrouters[5,2].
Anattacktotheprofessionally-managedinfrastructureontheserversideislesslikelytosucceed.
AnykindofMITMwouldfailiftheveryrstpageofthevisitedsiteisservedonHTTPS(andtheuserchecksitactuallyis!
),because,withsomeexceptions[1],nobodycancircumventthecryptographicauthenticationandimpersonatetherealserver.
How-ever,theinitialpageisusuallytheoneresponsibleforasignicantpartofawebsitetrafc,andoftenisthestartingpointforanavigationthroughsectionsofthesitethatdonotneedprotection.
Thus,toavoidpayingthehighpriceassociatedwithservingtherstpageonHTTPS,manysitesuseplainHTTP.
Then,ifthepagecontainsaformfortheusertoprovideidenticationdata,thesubmissionoftheformisprotectedbypointingittoaHTTPSlink,reassuringtheuseraboutthesecurityoftheprocessbymeansofgraphicalcuesortextualexplanations(Fig.
1).
However,theattackerisleftfreetobecomeaMITMbetweenCHandSHduringtherst,unprotectedexchangeofinformation.
Hecanintercepttheinitialrequest/responsebetweenCHandSH,substitutingHTTPforHTTPSineverylinkofthereturnedpagebeforeservingittoCH.
WhenthebrowseronCHrequestsadditionalcontentslinkedfromthepage,orsubmitsaform,itactuallymakesaHTTPconnectiontoATH,wheretheattackercanreadeverybyteinplaintext.
TheattackerthenrelayseveryrequesttoSHusingthecorrectprotocolspeciedintheoriginalpage,tobesureofcomplyingwiththecongurationofSH,andsendsthedecryptedresponsebacktothebrowser;possibly,afaviconrepresentingasecurelockisalsoinjected(orcraftedintothepage),givingafalseperceptionofasecureconnectiontotheclient.
Thedetailedimplementationofthisattackisdescribedin[4].
ABrowser-BasedDistributedSystemfortheDetectionofHTTPSStrippingAttacks5513TheProposedCountermeasureAllthebrowserscomewithadefaultsettingtoalertusersabouttosubmitinformationoveraninsecurechannel.
Thisisaveryeffectivecountermeasureagainstthedescribedattack.
Unfortunately,webpagesthatsubmituser-provided,harmlessinformationoveraninsecurechannelareinthemillions.
Thusmostusers,aftertherstfewfalsealarms,disablethischeck[7].
Theproposedapproachistotreatwebpageslikeanyotherkindofpotentiallyma-liciouscontent,subjectingthemtotheanalysisofasecuritymoduleverysimilartoanti-malwaresoftware,andcomparingthecontentofthepageagainstsuitableinfor-mationpatternstotryanddetectifaMITMhasmodiedit.
Therearetwokeyissuesrelatedtothisapproach,namelychoosingamethodtoextractsensiblepagefeaturesandprovidinguserswiththereferencefeaturesrepresentingauthenticpages.
Therstissuearisesbecause,nowadays,thevastmajorityofwebpagesaredynami-callygenerated.
Theyalmostinvariablyincludesectionsthatchangeeachtimetheyareserved.
Itisnecessarytocharacterizeapagebyextractingonlytheinvariantparts,butmakingsurethattheyrepresentallthecontentswhoseintegrityneedstobechecked.
Theresultshouldbeangerprintofthepage,ahashvaluethatcanbereliablycom-putedeachtimethesamepageisvisitedandcomparedtoareferencevaluecomputedovertheauthenticpage.
Then,thesecondissuecomesintoplay.
Itisnecessarytodenehowtoprovidethereferencevaluetoeveryuserwhoisvisitingapageinatrustedway.
Regardingthesecondissue,weenvisagedthreepossiblescenarios.
LocalDatabase.
Inprinciple,eachusercanbuildalocaldatabasecontainingtherefer-encevaluesforthepagesofhisinterest.
Whilethismethodhastheundeniableadvan-tageofplacingtheuserinfullcontrolofthedatabase,itexhibitsasignicantdrawback:theusermustbeabsolutelysurethatheissafefromtheMITMattackwhenhecomputesthereferencevalue.
TrustedOnlineRepository.
Iftheusersarewillingtoplacetheirtrustuponathirdpartyofsomesort,forexampleadirectory,suchasystemcanactastheauthoritativesourceforcomputinganddistributingreferencevalues.
Thisapproachsuffersfromtheusualdrawbacksassociatedwithputtingacentralentityinchargeofessentialfunctions:theentityitselfbecomesaveryvaluabletargetforattackers,whowouldbehighlyre-wardedbyasuccessfulcompromiseofitsdatabaseorevenasimplerDoSattack.
PeerExchange.
Atanygiventime,awebpageisviewedbyasetofclients.
Themorepopularthepage,themoreinterestingtargetitmakesforanattacker,andthelargertheset.
Undertheassumptionthatmasscompromiseofclientsisunlikely,itispossibletosharethereferencevaluesbetweeneveryclientthroughapeer-to-peernetwork,andtochoosethemostfrequentvalueassociatedwithagivenURLasthecorrectone.
4PrototypeWeimplementedthedescribedsolutionasabrowserpluginwhichcanwarntheuserofapossibleattack.
Theextension'sarchitectureprovidesaneasymeansofportingthecodeonmanydifferentplatforms,simplychangingthebrowser-specicinterfacetothe552M.
PrandiniandM.
Ramillicorelogic,writteninJava.
Asofnow,theSecureExtension(SecExt)pluginisavailableforMozillaFirefox,chosenforbeingthemostwidespreadopensourcebrowser,athttp://code.
google.
com/p/secureext/downloads/list,andausagedemocanbeviewedathttp://www.
youtube.
com/user/SecExt.
Thepluginarchitectureismodeledaroundthethethreebasicfunctionsoutlinedinthegeneraldescription:pagecharacterization,pageevaluation,andinformationsharing.
Thefollowingparagraphsdescribethedetailofeachphase.
4.
1PageCharacterizationWebpagesareusuallycomposedofmanydifferentsections,includingpartsthataredy-namicallygeneratedandthusdiffereachtimethepageisloaded.
Tryingtocharacterizeapagebysimplycomputingitshashwithamessagedigestalgorithmoveritswholecontentwouldcertainlyfailtoyieldasensiblereferencevalue.
Itwouldneverbethesameevenifthepageisauthentic.
Theprocesswedevisedforpropercharacterizationstartsbyobservingthat,forourpurposes,theonlyimportantkindofcontentisthesetoflinkspossiblypointingtothesubmissiontargetoftheloginform,ofotherformcollectingsensitivedatafromtheuser,orpossiblyopeningsuchaforminaseparatebutcloselyrelatedspace(iframe,pop-upwindow,etc.
).
EverybitofthepagewhichisnotaURListhendiscarded.
Thecharacterizationprocedurethenremovestheparameters(i.
e.
anythingfollowinga""character,ifpresent,thatcouldmakethesamepagelookdifferenteachtimeitisloaded)fromeachURL.
Theirremovaldoesnotaffectthereliabilityofattackdetection,sincetheattackeraimssimplyatchanging"https"into"http".
Actually,theURLcleaningcouldbepushedevenfurtherbyremovingeverythingbuttheprotocol,hostandportelementsoftheURL,todealwithsitesthatuse"/"insteadof""tohavedynamicpagesindexedbysearchengines,butweneedfurthertestingtodecidewhetherthe(rathersmall)increaseingeneralityisworththelossofcapturedinformationornot.
Finally,thestringoriginatedbytheconcatenationofthecleanedURLsisgivenastheinputofamessagedigestalgorithm,whosecompactandxed-sizeoutputiswellsuitedtosummarizethepagecharacteristics.
Apagecanincludecodefromseparatesources,forexamplebymeansofiframecommands.
Theprocesscanhandlethispossibilityveryeasily:SecExtconsiderseachpieceofHTMLcodethatcanbereferencedbyaURLasanindependent"page".
Let'ssupposethataseparatepieceofcodeisincludedbythemainpagetohandleuserlogin.
IfthemainpageisservedonHTTP,theattackerwilltargetthelinkpointingtotheincludedcode,andtheattackwillberecognizedasamodicationtothemainpage.
IfthemainpageissecuredbyHTTPS,buttheincludedcodeisvulnerabletothestrippingattackinstead,thelatterwillbeindependentlycharacterizedandasuccessfulattackagainstitwillbeexplicitlyreported.
4.
2PageEvaluationEachtimetheuserloadsapageinthebrowser,theSecExtplugincomputesitshashvalueaccordingtotheillustratedalgorithm,thenlooksforrecordsregardingthepageABrowser-BasedDistributedSystemfortheDetectionofHTTPSStrippingAttacks553inthedatabase(whoseconstructionisdetailedinthenextsection4.
3).
Thequerycanyielddifferentoutcomes.
–Norecordsarefoundforthepage'sURL.
Nocheckcanbemadeabouttheintegritystatusofthepage.
ItispossibletoenvisageapluginenhancementwarningtheusertryingtosubmitdataonHTTPfromthiskindofunveriablepages.
Theevaluationoftheconsequencesintermsofusabilityareunderinvestigation.
–ThehashofthecurrentpagematchesthevaluemostfrequentlyassociatedwithitsURLinthedatabase.
SecExtdeducesthatmostlikelythebrowsedpagehasnotbeencompromisedthroughanHTTPSstrippingattack.
–ThehashofthecurrentpagedoesnotmatchthevaluemostfrequentlyassociatedwithitsURLinthedatabase.
Thecurrentpagethenhasadifferentcontentfromtheversionmostcommonlyseenindifferenttimesorplaces.
Thepluginalertstheuserbyvisualizingawarningmessageonthescreen.
Beforetheusercaninteractwiththebrowsedpageheneedstoconrmthewarningmessage.
Thenitisuptotheuserbrowsingthepageornot,possiblyafterin-deepvericationoftheunderlyingcode.
4.
3InformationSharingSecExtcanbuildthedatabaseofhashvaluesbycompositionoftwodifferentpartialsources:alocaldatabase,containingonlyhashescomputedbythelocalsystem,andaglobaldatabase,whichisitselfacollationofthelocaldatabasessharedbyotherusersoveraP2Pnetwork.
ThesumofthesepartsallowsSecExttoleveragebothlocalknowl-edge,possiblygatheredinacontrolledenvironmentwheretheusercancondentlyas-sumetobesafefromMITMattacks,andthesamekindofknowledgegatheredbyuserswhorunSecExtaswell.
Inthelattercase,weclaimthatalargeenoughuserbasewillleadtothepopulationofaglobaldatabasecontainingastrikingmajorityofhashvaluescomputedoverpageswhichhavenotbeentamperedwith.
TheP2PnetworkruninSecExtisbaseduponaJavaimplementationoftheChordprotocol[6],chosenforthisrstprototypeforitssimplicity.
TheChorddaemonrunsinabackgroundprocesstokeepthecommunicationwithpeersactiveindependentlyofthepluginactivations.
Chordexploitsadistributedhashtabletostorekey-valuepairsbyassigningkeystodifferentcomputers(knownas"nodes");anodewillstorethevaluesforallthekeysforwhichitisresponsible.
Chordspecieshowkeysareassignedtonodes,andhowanodecandiscoverthevalueforagivenkeybyrstlocatingthenoderesponsibleforthatkey.
Insimplerterms,Chordletstheconnectednodestocollectivelybuildavirtualsharedfolder.
Everypeersharesitslocaldatabaseasale,placedinthevirtualfolder,namedbyauniquenodeidentier.
Thelecangetactuallycopiedonotherpeerswhentheycomeonlineandsearchfornewresources.
Thevirtualglobaldatabasethatisthecollationofallthelocaldatabasesisthenmateriallyrepresentedbyahighlyavailablecollectionofles,andtheloadtoaccessitisspreadamongthepeers.
4.
4ExperimentalValidationWetestedtheSecExtplugineffectivenessinalabenvironment.
Theresults,whichcannotbedetailedhereforspaceconstraints,showedsatisfactorydetectionratesanda554M.
PrandiniandM.
Ramillilimitedamountoffalsepositives.
Anaccuratejudgmentofoursolution,however,mustwaituntilsomelimitationsregardingthesecurityoftheP2Pexchangearesolvedandareal-world,widertestingcampaigncanberolledout.
5ConclusionsandFutureWorkWesurveyedalargesetofwebsitesbelongingmainlytonancialinstitutions,whichareparticularlyinterestingforfraudsterslookingforusercredentialstosteal,andfoundasignicantfractionofthemvulnerabletotheHTTPSstrippingattack.
Sinceuserscannotforcewebmasterstoxtheproblemwhereitshouldbexed,weproposedaclient-side,anti-malware-styleapproachtothedetectionoftheattack.
Itleveragesthedistributedknowledgeofapotentiallylargecommunityofuserstoidentifymodiedpageseveniftheuserhasnevervisitedthembefore,exploitingpeer-to-peerarchitec-turestospreadknowledgeofthereferencevaluesrepresentingunalteredpageswithoutresortingtoatrustedthirdparty.
WeimplementedthecountermeasureasapluginforMozillaFirefox,andveriedthepracticalfeasibilityandcorrectnessofallitsbasicprinciples.
Thepluginwasabletocorrectlycharacterizethepagesusedfortesting,tak-ingintoaccountalltherelevantdataforevaluatingitsintegritybutavoidingtoincludevariablepartsthatcouldtriggerfalsepositives.
Currently,weareworkingtoachievehighercommunicationsefciencyandbetterhandlingofupdatesthroughnergran-ularity,whereasforthisrstprototypeweimplementedtheknowledgesharingasadistributionofthewholereferencevaluesdatabaseontheP2Pnetwork.
Wearealsoex-tendingSecExttowardsamorecomprehensivearchitecture,tobeabletoeasily"hook"differentcode-analysismodulesintothecorelogic,timelyaddingnewdetectioncapa-bilitieswhennewthreatsappear.
References1.
Dhamija,R.
,Tygar,J.
D.
,Hearst,M.
:Whyphishingworks.
In:ProceedingsoftheSIGCHIConferenceonHumanFactorsinComputingSystems,CHI2006,pp.
581–590.
ACM,NewYork(2006)2.
Heffner,C.
:Howtohackmillionsofrouters.
In:BlackHatConference2010(2010)3.
Nikiforakis,N.
,Younan,Y.
,Joosen,W.
:HProxy:Client-SideDetectionofSSLStrippingAttacks.
In:Kreibich,C.
,Jahnke,M.
(eds.
)DIMVA2010.
LNCS,vol.
6201,pp.
200–218.
Springer,Heidelberg(2010),doi:10.
1007/978-3-642-14215-4124.
Prandini,M.
,Ramilli,M.
,Cerroni,W.
,Callegati,F.
:SplittingtheHTTPSstreamtoattacksecurewebconnections.
IEEESecurityandPrivacy8,80–84(2010)5.
Stamm,S.
,Ramzan,Z.
,Jakobsson,M.
:Drive-ByPharming.
In:Qing,S.
,Imai,H.
,Wang,G.
(eds.
)ICICS2007.
LNCS,vol.
4861,pp.
495–506.
Springer,Heidelberg(2007),10.
1007/978-3-540-77048-0386.
Stoica,I.
,Morris,R.
,Karger,D.
,Kaashoek,M.
F.
,Balakrishnan,H.
:Chord:Ascalablepeer-to-peerlookupserviceforinternetapplications.
SIGCOMMComput.
Commun.
Rev.
31,149–160(2001)7.
Sunshine,J.
,Egelman,S.
,Almuhimedi,H.
,Atri,N.
,Cranor,L.
F.
:Cryingwolf:anempiri-calstudyofSSLwarningeffectiveness.
In:Proceedingsofthe18thConferenceonUSENIXSecuritySymposium,SSYM2009,pp.
399–416.
USENIXAssociation,Berkeley(2009)