Presentation is loading. Please wait.

Presentation is loading. Please wait.

Browser Security Modes Alex Crowell and James Kasten.

Published byWarren Laramore Modified over 10 years ago

Similar presentations

Presentation on theme: "Browser Security Modes Alex Crowell and James Kasten."— Presentation transcript:

1 Browser Security Modes Alex Crowell and James Kasten

2 Background Browsers are multipurpose applications Used to play games, shop, bank, and just surf Security is general Doesnt consider users intentions Or what theyre doing (Pretend this is an Ethernet cable)

3 Related Work Crying Wolf paper showed browser certificate warnings offer inadequate context Only power users know how to interpret Tools like ForceHTTPS give these users extra security Redirects Non-HTTPS connections to HTTPS Terminates TLS sessions when errors encountered Fails attempts to embed non-HTTPS content

4 Goal Why cant we mold the browsers security policy to the users activity? ?

5 Browser Security Modes Divide the users browsing into distinct activities based on their required security Banking E-commerce Other services using private/personal data Aim Maximize security by mode Be as usable as possible Avoid leaving questions to the user Make it easy to understand No server support required

6 Policies Plugins & Other Extensions For banking, block most plugins with few exceptions Acrobat used often for viewing bank statements E-commerce is more lenient Flash and others are difficult to block Encryption Many bank sites dont use the best encryption they support Require minimum level of encryption for banking mode

7 Policies Mixed Content For banking, prevent all mixed content For e-commerce, block but allow user to override Certificates Not all banks use EV certs TCF Bank, Chase Bank, Wells Fargo, Suntrust... Enforce strict certificate error handling

8 Future Work Certificates Ideally want to authoritatively associate certificates with sites System allows multiple CAs to issue certificates for the same site DV certificates known to be compromised EV certs provide better authentication, but not widely used A practical solution: User-based or distributed service that could report observed certs for sites over time (Perspectives by Wendlant) Most MITM attacks are both local and short lived Not a perfect system but easy to deploy

9 Future Work (cont.) Extend to other modes of security Conduct rigorous usability studies Confirm usability and search for problems Evaluate whether some restrictions in security modes are too strong

10 Implementation Firefox extension Implements Banking and E-commerce modes QUICK DEMO

Download ppt "Browser Security Modes Alex Crowell and James Kasten."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
SSLstrip Stepan Shykerynets 23.03.2013.

SSLstrip Stepan Shykerynets
Secure Lync mobile Authentication

Secure Lync mobile Authentication
OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)

OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)
1 Bringing P2P to the Web: Security and Privacy in the Firecoral Network Jeff Terrace Harold Laidlaw Hao Eric Liu Sean Stern Michael Freedman.

1 Bringing P2P to the Web: Security and Privacy in the Firecoral Network Jeff Terrace Harold Laidlaw Hao Eric Liu Sean Stern Michael Freedman.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Electrical Engineering Department Software Systems Lab TECHNION - ISRAEL INSTITUTE OF TECHNOLOGY Persistent chat room Authors: Hazanovitch Evgeny Hazanovitch.

Electrical Engineering Department Software Systems Lab TECHNION - ISRAEL INSTITUTE OF TECHNOLOGY Persistent chat room Authors: Hazanovitch Evgeny Hazanovitch.
The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.

The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.
James Tam Web Browsers In this section of notes you will learn about the web browsing process, some of the important features of popular browsers and a.

James Tam Web Browsers In this section of notes you will learn about the web browsing process, some of the important features of popular browsers and a.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google