Dynamic pharming attacks and locked same-origin policies for web browsers

We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, we propose two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain names, the locked same-origin policies enforce access using servers' X.509 certificates and public keys. We show how our policies help two existing web authentication mechanisms, client-side SSL and SSL-only cookies, resist both pharming and stronger active attacks. Also, we present a deployability analysis of our policies based on a study of 14651 SSL domains. Our results suggest one of our policies can be deployed today and interoperate seamlessly with the vast majority of legacy web servers. For our other policy, we present a simple incrementally deployable opt-in mechanism for legacy servers using policy files, and show how web sites can use policy files to support self-signed and untrusted certificates, shared subdomain objects, and key updates.

[1]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[2]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[3]  Yossi Matias,et al.  How to Make Personalized Web Browising Simple, Secure, and Anonymous , 1997, Financial Cryptography.

[4]  Bruce Schneier,et al.  Secure Applications of Low-Entropy Keys , 1997, ISW.

[5]  M. Abadi Strengthening Passwords , 1997 .

[6]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[7]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[8]  Helen Nissenbaum,et al.  Users' conceptions of web security: a comparative study , 2002, CHI Extended Abstracts.

[9]  Helen Nissenbaum,et al.  Users' conceptions of risks and harms on the web: a comparative study , 2002, CHI Extended Abstracts.

[10]  Evgeniy Gabrilovich,et al.  The homograph attack , 2002, CACM.

[11]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[12]  A. Karp Site-Specific Passwords , 2003 .

[13]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[14]  David Larochelle,et al.  How and Why More Secure Technologies Succeed in Legacy Markets - Lessons from the Success of SSH , 2004, Economics of Information Security.

[15]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[16]  Clemens Heinrich,et al.  Transport Layer Security (TLS) , 2011, Encyclopedia of Cryptography and Security.

[17]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[18]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[19]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[20]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[21]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[22]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension , 2005, RFC.

[23]  Simson L. Garfinkel,et al.  Design principles and patterns for computer systems that are simultaneously secure and usable , 2005 .

[24]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[25]  Alex Tsow Phishing with Consumer Electronics - Malicious Home Routers , 2006, MTW.

[26]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[27]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[28]  Markus Jakobsson,et al.  Warkitting: The Drive-by Subversion of Wireless Home Routers , 2006, J. Digit. Forensic Pract..

[29]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[30]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[31]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[32]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[33]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[34]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[35]  F. Piessens,et al.  Requestrodeo: Client Side Protection against Session Riding , 2006 .

[36]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[37]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[38]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[39]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[40]  Stelios Sidiroglou,et al.  Proximity Breeds Danger: Emerging Threats in Metro-area Wireless Networks , 2007, USENIX Security Symposium.

[41]  Dan Boneh,et al.  Protecting browsers from dns rebinding attacks , 2007, CCS '07.

[42]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.

[43]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[44]  Sean W. Smith,et al.  WSKE: Web Server Key Enabled Cookies , 2007, Financial Cryptography.

[45]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[46]  Christian Sandvig,et al.  SOFTWARE DEFAULTS AS DE FACTO REGULATION The case of the wireless internet , 2008 .

[47]  Amir Herzberg,et al.  Security and identification indicators for browsers against spoofing and phishing attacks , 2008, TOIT.

[48]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.