Breaking Web Browsers’ Trust

Making Internet communications secure means shutting off ways for an unauthorized person to access secret information. This is easier said than done.

In work presented this week at the IEEE Symposium on Security and Privacy, a team of researchers described a former flaw with almost all Web browsers that undermined the protocol used to secure online banking transactions and other sensitive transmissions. The problem arose when the victim was connected to the Internet via a proxy, such as a wireless access point at a hotel or cafe.

Although the researchers completed their work in July 2007, they kept the details secret to allow time to fix vulnerable browsers and test newer ones. The researchers say that they were able to successfully attack Internet Explorer 7 and 8, Firefox 2 and 3, Opera 9, and Chrome Beta and 1. The near-universal nature of the vulnerability suggests that better methods are needed to protect browser communications.

“It’s very difficult to figure out the composition of all these end-to-end crypto protocols, which are at different layers of the network,” says Shuo Chen, a researcher at Microsoft who helped uncover the vulnerability.

The protocol used to secure browser messages is based on a simple idea, Chen says: it’s meant to establish a secure link between the user’s browser and a Web server and distrust any points in between. However, because the browser often needs to trust the broader network, weak spots can creep in, he says.

Chen’s group uncovered a problem with the way Web browsers display information from Web pages when a secure communications link has been established. They found that most browsers will sometimes treat insecure data as if it’s part of the secure protocol. This means that a Web proxy–a machine sitting in between the browser and a website–can issue commands that the browser interprets as coming from a secure website, even if they are not. “In reality, it’s very difficult to make sure that you are using a trusted network,” he says.

For example, when a browser requests access to a secure website, the proxy could return a fake error message that the browser displays as genuine. The browser could then be tricked into sending secure messages to both the legitimate server and the malicious proxy.

Adam Barth, a researcher at the University of California, Berkeley, who studies browser security, says that the newly revealed flaw is significant because several browsers contained the same vulnerability. “That demonstrates that the issue is subtle,” Barth says. “A lot of smart people missed it.” He adds that since a browser is a complex system of interlocking parts, it could be useful to investigate tools that could help people analyze how data moves through those parts. Such tools might help catch similar errors in browser design.

Barth also says that Web standards would have mandated more secure behavior if experts had looked at the issue more carefully.

Though the specific problem that Chen’s team found was fixed, Chen is still concerned about the methods used to build browsers. Normally, he says, the group of developers that figures out how a browser will display pages works separately from the group that implements a secure communications protocol. Chen thinks the Web community should think more carefully about the way different parts of the browser are put together. “It’s difficult for the whole browser-development effort to have the whole picture,” he says.