Skip to Content

Breaking Web Browsers’ Trust

Researchers reveal a flaw with the way most Web browsers treat secure connections.

Making Internet communications secure means shutting off ways for an unauthorized person to access secret information. This is easier said than done.

In work presented this week at the IEEE Symposium on Security and Privacy, a team of researchers described a former flaw with almost all Web browsers that undermined the protocol used to secure online banking transactions and other sensitive transmissions. The problem arose when the victim was connected to the Internet via a proxy, such as a wireless access point at a hotel or cafe.

Although the researchers completed their work in July 2007, they kept the details secret to allow time to fix vulnerable browsers and test newer ones. The researchers say that they were able to successfully attack Internet Explorer 7 and 8, Firefox 2 and 3, Opera 9, and Chrome Beta and 1. The near-universal nature of the vulnerability suggests that better methods are needed to protect browser communications.

“It’s very difficult to figure out the composition of all these end-to-end crypto protocols, which are at different layers of the network,” says Shuo Chen, a researcher at Microsoft who helped uncover the vulnerability.

The protocol used to secure browser messages is based on a simple idea, Chen says: it’s meant to establish a secure link between the user’s browser and a Web server and distrust any points in between. However, because the browser often needs to trust the broader network, weak spots can creep in, he says.

Chen’s group uncovered a problem with the way Web browsers display information from Web pages when a secure communications link has been established. They found that most browsers will sometimes treat insecure data as if it’s part of the secure protocol. This means that a Web proxy–a machine sitting in between the browser and a website–can issue commands that the browser interprets as coming from a secure website, even if they are not. “In reality, it’s very difficult to make sure that you are using a trusted network,” he says.

For example, when a browser requests access to a secure website, the proxy could return a fake error message that the browser displays as genuine. The browser could then be tricked into sending secure messages to both the legitimate server and the malicious proxy.

Adam Barth, a researcher at the University of California, Berkeley, who studies browser security, says that the newly revealed flaw is significant because several browsers contained the same vulnerability. “That demonstrates that the issue is subtle,” Barth says. “A lot of smart people missed it.” He adds that since a browser is a complex system of interlocking parts, it could be useful to investigate tools that could help people analyze how data moves through those parts. Such tools might help catch similar errors in browser design.

Barth also says that Web standards would have mandated more secure behavior if experts had looked at the issue more carefully.

Though the specific problem that Chen’s team found was fixed, Chen is still concerned about the methods used to build browsers. Normally, he says, the group of developers that figures out how a browser will display pages works separately from the group that implements a secure communications protocol. Chen thinks the Web community should think more carefully about the way different parts of the browser are put together. “It’s difficult for the whole browser-development effort to have the whole picture,” he says.

Keep Reading

Most Popular

The inside story of how ChatGPT was built from the people who made it

Exclusive conversations that take us behind the scenes of a cultural phenomenon.

ChatGPT is about to revolutionize the economy. We need to decide what that looks like.

New large language models will transform many jobs. Whether they will lead to widespread prosperity or not is up to us.

Sam Altman invested $180 million into a company trying to delay death

Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.

GPT-4 is bigger and better than ChatGPT—but OpenAI won’t say why

We got a first look at the much-anticipated big new language model from OpenAI. But this time how it works is even more deeply under wraps.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.