W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

Re[2]: Secure Chrome

From: Chris Drake <christopher@pobox.com>
Date: Tue, 13 Jun 2006 00:41:09 +1000
Message-ID: <1085319654.20060613004109@pobox.com>
To: public-usable-authentication@w3.org

Hi Amir,

Either you didn't look at googles demo, or you just got tricked by
that spoof web site?
http://guardpuppy.com/BrowserChromeIsDead.gif

There is no browser window or popup of any kind shown in the above
picture.  It's a <DIV>.  It could just as easily be an <IMG> with a
<form> overlaying it via CSS.

Here's another way to imagine it if you're still confused.

A) Visit PayPal.com
B) Re-Size your browser window to 50% of your desktop
C) Hit Alt-Printscreen
D) Open MS-Paint, paste in the screenshot, and save the image to a
   file - pp.gif
E) upload the picture to www.evilwebsite.com
F) in any page on that site, insert <img src="pp.gif">
G) add some CSS to float the image over whatever content
   evilwebsite.com already displays, and some <form> elements to float
   over the image, and you've got an attack that is 100% pixel-perfect
   AND 100% workflow perfect of the legitimate original PayPal web
   site - including the https:// address bar and INCLUDING the popup
   certificate (another floating img) when users click the padlock.

   Not a single professional in the world would be able to distinguish
   the above fake from the real site without significant effort - and
   no amount of shared-secretless or stateless browser chrome can
   prevent it. 

Monday, June 12, 2006, 11:36:17 PM, Amir Herzberg wrote:
>Would it help to make a more `permanent` kind of (limited) cookie?
Client certificates work in all browsers AFAIK.  Microsoft browsers
also have userdata persistence, which offer additional persistent
identifiers (also SSL protected like secure cookies) that are really
easy to use.  There's some other interesting (re-)identifying tricks
that work on all browsers without using cookies too.  A properly
constructed identity service could allow users to tell it what's an
acceptable way to re-identify - people with static IPs being given
that as an option on top of persistence and/or cookies and/or other
identifying tricks or services.

Monday, June 12, 2006, 11:46:43 PM, Frederick Hirsch wrote:
>(in this case open source seems to enable a modification/replacement
> attack on the entire browser implementation itself)
It doesn't have to be an attack on the entire browser - even just a
browser toolbar or addin is sufficient.  everyone who's installed any
of these new-fangled toolbar things has granted permission to the
authors to do anything they want with every web page you visit - SSL
or not - including reading and changing all contents, recording
anything they want (including passwords, credit card numbers,
anything), permanently tracking you regardless of your cookies and
privacy settings, and granting the authors permission to automatically
add or remove any functionality they want anytime in the future (not
to mention the chances of allowing hackers to take control of your
browser if any toolbar implementations have bugs in them).

Even just asking users to install a new security or chrome toolbar is
an open invitation to phishing folks and spammers to invite you to
install *their* "secure chrome" toolbar instead - which of course will
give them all your bank details etc without them having to bother with
actually spoofing sites - they can just take your data our of your web
browser from the *legitimate* sites you visit - or if they can't take
your data (eg: secureID tokens), they can HTTP POST whatever funds
transfer <form> fields necessary to take your money in real time,
the next time you use your token...

It's too easy to simulate browser chrome, and too much to ask that
designers take another user-interface-functionality hit to satisfy
the whims of chrome advocates, and definitely way to much to ask that
every browser vender on every OS implement it.

This is an authentication issue, which can be done today on existing
technology, without writing client-side code or forcing people to
install stuff (which - lets face it - even if chrome got rolled out -
would take a decade to become ubiquitous anyway).  If backpackers
can't check their email in Timbuktu, hotmail can't use secure chrome.

Kind Regards,
Chris Drake
Received on Monday, 12 June 2006 15:40:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC