Browser Security Evaluation IE6 vs. IE7 vs. Firefox 3.0 Gowri Kanugovi

Internet Explorer  Security model is zone based  Websites are grouped into a whitelist or blacklist  Security restrictions are applied on per-zone basis

Internet Explorer (cont..)  IE6 is the most vulnerable browser to date having about 172 vulnerabilities as per 2009 report by Secunia  Main reason for this is that it runs in the same level of privilege as the logged in user  Hence, any malware executed will have that users privileges. What if the user is the admin??  Active X content is one of the biggest security holes in IE  Another reason could just be the ubiquity of IE usage  IE7 on the other hand is more secure. When used on Vista, the Privileged Mode runs it with lower privileges than the logged in user  ActiveX opt-in blocks can block ActiveX content to be run  Phishing filter helps protect against phishing attacks

Mozilla Firefox  Firefox uses Sandbox Security model  In the sense the scripts, any executables (or malware) will be isolated from the system in case of any attack  This way the browser environment is restricted to predefined privileges  Secunia has reported 46 bugs in Firefox as of 2009

Evaluation I: Phishing  Phishing is the attempt to acquire sensitive information such as usernames, passwords, credit card information from users by posing as a legitimate entity in electronic communication.  Most common targets are banks and online services like eBay, Paypal. It is a form of social engineering exploit technique  An Eg: You may receive an saying your bank account is suspended and needs to be reactivated by providing some personal details. It will usually say “Click here to activate”  Close examination will reveal that the url will redirect to a website which may have nothing to do with the original website!  Browsers play a major role is protecting the users against phishing attacks. We will see how each of them behave  To carry out the experiments, I obtained reported phishing sites from Phishtank.com. I took a Paypal phished website

IE6: Phishing  IE6 has not built-in protection against phishing, and redirects the user to the phished website without any warning.  URL is jkvisa.com! Has nothing to do with paypal

IE7: Phishing  Phishing filter in IE7 recognizes two types of websites: Suspected phishing sites and Known phishing sites  When the same website is visited through IE7, the result is as below  Basically provides protection in three ways: Built-in filter, an online service and a reporting mechanism

Mozilla Firefox 3.0  Firefox provides phishing protection by checking the website against a list of reported phishing site. This list is stored in the browser and is updated every 30 min  This kind of update is what is absent in IE7  Not only does it protect against phishing, it also provides malware protection, which is now integrated into IE8

Result: Evaluation 1  IE6 no filter at all  IE7 provides a phishing filter, though the default setting of it on the browser is “turn-off”  Firefox has a better protection among the three browsers  Results of a test conducted by Mozilla ( : 1040 urls totalFirefoxIE7 243 instancesblockeddid not block 117 instancesdid not blockblocked 543 instancesblocked 66 instancesdid not block

Evaluation 2: Man in the Middle  MitM attack exploits the usage of old/wrong certificates by users  When a user visits a website through a secure connection, the web browser checks to see if the certificate of that website if valid  In case it isn’t and the user still goes ahead and accesses the websites or sends information to the website, then he is a victim of MitM and all his data could be eavesdropped  Authenticity of the certificate has three main criteria: valid date, valid name matching the name of the website and a CA whom you trust  List of trusted CAs is stored in the browser, but should the user trust the CAs trusted by the browser?  Which CA gets into the browser’s trust list? The one paying more, is that good enough reason for you to trust the CA?  Moreover, looking back at the list of CAs stored in Firefox reveals that one of the trusted CA still uses a 512-bit RSA key! Also, the CA Baltimore which is on the trust list, sold its PKI business in 2003  So should the user trust the browser? Or should he add his own trusted CAs into the browser?  The answer I would say, depends on how important speaking to the server is for the user.

IE6: MiTM  When I try to establish a secure connection with a website whose signer is not among the trusted CAs on the browser, IE6 yielded  One would argue this as a fair amount of security, but what is the goal of a casual surfer? To just access the website.  On the internet most of the users will say “Yes” and continue.

IE7: MiTM  When the same connection was established with IE7, the bad certificate error was shown  If the user ignores this warning, he is redirected to the website, but the status bar would still say “Error Certificate”

Firefox: MiTM  Firefox too blocked the navigation and displayed the error message  The message “The Certificate is not trusted…”, implies that the signer is not among the trusted CAs, warning the user of a possible impersonation  As opposed to IE7, the user cannot simple continue to the website without importing the certificate into the browser first. Is this a better approach?

Result  All of the browsers implement some protection against MiTM, IE6 is very inefficient though  The fact that Firefox is blocking the navigation completely until the certificate is imported adds more security value into it  Should the users manually import the CAs whom they trust?  The answer would be, does the user have the expertise? Is it feasible to do so? How important is security for him?

Evaluation 3: Password Stealing  Browsers have this incredible ability to store passwords for users  It sure is very helpful for the user, but how useful is it to the attacker? Very useful  Users store passwords of even their financial institutions on browsers, the attacker just needs access to this file  Freely available tools called “stealers” achieve the same. The attacker attaches the executable to some program and launch it and transfer all the stolen passwords into his own FTP server  These stealer go undetected by most of the AVs

IE6: Password Stealing  The IE Pass View is the tool used to retrieve passwords from IE  When launched, it returns all the stored password like below  This is a very dangerous vulnerability and could be exploited very easily  Just by attaching the exe to any program downloaded off the internet, bit-torrents mostly, the attacker can get access to all the passwords on the user’s browser

IE7: Password Stealing  When the same program was run against IE7, it yielded the same results!  IE7 is a newer, more secure browser, so it surprises me why no protection is taken against such a simple attack

Firefox: Password Stealing  In Firefox, there is the concept of a “Master Password”, which when set encrypts the passwords stored by the browser with the master password acting as key  Thus when a program like the stealer tries to steal passwords from the browser, the browser first asks for the master secret to be entered, and thus ruining the goal of the attacker  However, when not set, it is as vulnerable as IE, resulting in the following

Result: Password Stealing  IE has no protection against stealer and gives out the passwords to the attacker  Firefox has incorporated some security with the help of a “Master Password”, but it relies on the user setting it  Without a master secret, Firefox is as vulnerable as IE

Conclusion  Browsers are the window to the web  Securing the browser is highly important since it has access to some of your most sensitive data  While making choice of the browser you wish to use, consider security as one of the main aspects