Read an Excerpt
Chapter 2: Basic Browser Security
OBTAINING A VALID BROWSER
The Microsofts Internet Explorer is usually obtained with Windows 95 or through a software vendor. The danger of this program being tampered with is no greater than the danger of the operating system being modified; the latter is the more serious security threat. Thus, if users trust that they have a valid operating system, they usually have confidence in their browser. The same is not true for Netscape. Netscape Navigator and Internet Explorer are both readily available through the Internet. Whereas most Explorer users obtain their browsers with their operating systems or in software stores, the Netscape users tend to download their browsers from an ftp site.
When you obtain a program by ftp through the Internet, you run the risk that you will get a maliciously modified copy instead. A program is vulnerable at the distribution site and in transit. In fact, if the DNS has been attacked, a user may not even be communicating with the correct server when he or she requests a file.
If an attacker can cause a user to download a modified browser, the consequences can be serious. A trojanized browser might appear to behave correctly. The user would have no idea that he or she was not running the correct program. Because a Web browser requires an Internet connection, a trojanized browser could give an attacker unlimited access to the user's machine and everything on it. The attacker could use this access to read and replace files, to run programs on the target machine, to disrupt service, and even to access secret cryptographic keys that may be stored on the local disk. By controlling the browser, theattacker could fool the user into entering passwords and other confidential information that would normally be reserved for trusted programs.
A maliciously modified browser need not be very sophisticated to be effective. A browser that automatically modifies SSL options, for example, to specify weak encryption would compromise all communication with secure servers. Another simple attack would mail information to the attacker about the user's browsing habits, enabling targeted advertising or blackmail. Because most browsers now come with built-in mail and newsreading capabilities, attackers could spy on someone by having a trojanized browser forward a copy of all e-mail to a specific location. They could even avoid detection by having the forwarded mail encrypted with a public key.
Several things can be done to distribute a file and guarantee its authenticity and integrity. Authenticity means that the file actually comes from the right place, and integrity means that it has not been modified. The most obvious protection is for the distributor to digitally sign the files. Digital signatures, however, require public key infrastructure. And, clearly there are open problems with certifying public keys.
One solution to the problem of secure software distribution on the Internet is Betsi (http://info.bellcore.com/BETSI/betsi. html). IETF RFC 1805 describes the protocol. Betsi is an interim solution to the problem, one that has been in place for a year and a half and can be expected to prevail until a more rigorous infrastructure displaces it. It requires users to obtain one valid public key and some widely available cryptographic software, namely PGP (http://Web.mit.edu/network/pgp.html) and MD5. More information about these programs is available in Appendix A. Users can obtain these programs from the site of their choosing. Betsi's public key is also widely available. The key has been signed by some well-known people whose public keys are also widely available, including Phil Zimmerman, the author of PGP, The fingerprint of Betsi's PGP public key is:
5F 34 26 5F 2A 48 6B 07 90 C9 98 C5 32 C3 44 OC
In Betsi, there are authors and users. Authors are people who wish to distribute software securely. Netscape is an example of an author. Users are people who wish to download programs with integrity and authenticity guarantees. Authorsmust register with Betsi in advance. To do so, they present Betsi with a public key, then Betsi verifies their identity. There are several approaches to this verification; the method chosen depends on the level of security required.
Once authors are registered, they can communicate securely with Betsi because they will share valid copies of one anothers' public keys. When an author has a file to distribute, he or she creates an integrity certificate request for the file. The request contains items such as the name of the author, the name of the file(s) to be certified, the cryptographic hash of the file, and so on. The author then signs the request with his or her private key and sends it to Betsi. Here is an example of such a request:
- - - - - BEGIN PGP SIGNED MESSAGE - - - - Author Name: Some Author Author Organization: Software Company, Inc. Hash function: MD5 Date of certificate creation: 09/17/96 4e74a2197b1b9f2561 distribution.tar.z f4632efda0e7ce66e4 archive.tar.Z
- - - - - BEGIN PGP SIGNATURE - - - - - Version: 2.6.2
- END PGP SIGNATURE - - - - -
Betsi receives this message and checks the signature. At this point, the message is verified as authentic, and any modifications to the message are detected during the verification. Next, Betsi replies to the author with a signed integrity certificate, which states that the named author is registered and that he or she has requested a certificate linking certain hash values to filenames. Here is an example of such a certificate: ...