Chris Karlof
ABSTRACT
We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, we propose two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain names, the locked same-origin policies enforce access using servers' X.509 certificates and public keys. We show how our policies help two existing web authentication mechanisms, client-side SSL and SSL-only cookies, resist both pharming and stronger active attacks. Also, we present a deployability analysis of our policies based on a study of 14651 SSL domains. Our results suggest one of our policies can be deployed today and interoperate seamlessly with the vast majority of legacy web servers. For our other policy, we present a simple incrementally deployable opt-in mechanism for legacy servers using policy files, and show how web sites can use policy files to support self-signed and untrusted certificates, shared subdomain objects, and key updates.
- Martin Abadi, T. Mark A. Lomas, and Roger Needham. Strengthening passwords. Technical Report 1997-033, SRC, September 1997.Google Scholar
- P. Akritidis, W. Y. Chin, V. T. Lam, S. Sidiroglou, and K. G. Anagnostakis. Proximity Breeds Danger: Emerging Threats in Metro-area Wireless Networks. In Proceedings of the 16th USENIX Security Symposium, pages 323--338, August 2007. Google ScholarDigital Library
- Anti-phishing working group. http://www.antiphishing.org/.Google Scholar
- Bank of America Sitekey: Online banking security. http://www.bankofamerica/privacy/sitekey/.Google Scholar
- Stephen Bell. Invalid banking cert spooks only one user in 300. Computer World New Zealand, http://www.computerworld.co.nz/news.nsf/NL/-FCC8B6B48B24CDF2CC257002001%8FF73,May 2005.Google Scholar
- Sonia Chiasson, P. C. van Oorschot, and Robert Biddle. A usability study and critique of two password managers. In Proceedings of the 15th USENIX Security Symposium, pages 1--16, August 2006. Google ScholarDigital Library
- Tyler Close. Petname tool. http://petname.mozdev.org/.Google Scholar
- Tyler Close. Waterken YURL. http://www.waterken.com/dev/YURL/httpsy/.Google Scholar
- Rachna Dhamija and J. D. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), pages 77--88, July 2005. Google ScholarDigital Library
- Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 581--590, 2006. Google ScholarDigital Library
- Earthlink Toolbar Featuring ScamBlocker for Windows Users. http://www.earthlink.net/software/free/toolbar/.Google Scholar
- Carl Ellison, Chris Hall, Randy Milbert, and Bruce Schneier. Protecting secret keys with personal entropy. Future Generation Computer Systems, 16(4):311--318, 2000. Google ScholarDigital Library
- Alan O. Freier, Philip Karlton, and Paul C. Kocher. The SSL Protocol Version 3.0. http://wp.netscape.com/eng/ssl3/, 1996.Google Scholar
- Batya Friedman, David Hurley, Daniel C. Howe, Edward Felten, and Helen Nissenbaum. Users' conceptions of web security: A comparative study. In Proceedings of the Conference on Human Factors in Computing Systems - CHI '02 extended abstracts, pages 746--747, 2002. Google ScholarDigital Library
- Batya Friedman, David Hurley, Daniel C. Howe, Helen Nissenbaum, and Edward Felten. Users' conceptions of risks and harms on the web: A comparative study. In Proceedings of the Conference on Human Factors in Computing Systems - CHI '02 extended abstracts, pages 614--615, 2002. Google ScholarDigital Library
- Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster. Dos and Don'ts of client authentication on the web. In 10th USENIX Security Symposium, pages 251--268, August 2001. Google ScholarDigital Library
- Eran Gabber, Phillip B. Gibbons, Yossi Matias, and Alain J. Mayer. How to make personalized web browsing simple, secure, and anonymous. In Proceedings of Financial Cryptography (FC '97), pages 17--32, 1997. Google ScholarDigital Library
- Evgeniy Gabrilovich and Alex Gontmakher. The homograph attack. Communications of ACM, 45(2):128, February 2002. Google ScholarDigital Library
- Simson Garfinkel. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD thesis, Massachusetts Institute of Technology, 2005. Google ScholarDigital Library
- David Goldsmith. How a 'Catch-22' Turns into a 'Shame on You'. http://isc.sans.org/diary.html?storyid=1230, March 2006.Google Scholar
- Anti-Phishing Working Group. Ebay - Update Your Account MITM attack. http://www.antiphishing.org/phishing_archive/05-03-05_Ebay/05-03-05_Eba%y.html.Google Scholar
- Princeton Secure Internet Programming Group. DNS attack scenario. http://www.cs.princeton.edu/sip/news/dns-scenario.html, February 1996.Google Scholar
- Peter Gutmann. Why isn't the Internet secure yet, dammit. In AusCERT Asia Pacific Information Technology Security Conference 2004, May 2004.Google Scholar
- J. Alex Halderman, Brent Waters, and Edward W. Felten. A convenient method for securely managing passwords. In Proceedings of the 14th International World Wide Web Conference, May 2005. Google ScholarDigital Library
- Amir Herzberg and Ahmad Gbara. Security and Identification Indicators for Browsers against Spoofing and Phishing Attacks. Cryptology ePrint Archive, Report 2004/155, 2004.Google Scholar
- Russell Housley, Warwick Ford, Tim Polk, and David Solo. Internet X.509 public key infrastructure certificate and Certificate Revocation List (CRL) profile.http://tools.ietf.org/html/rfc3280, 2002. Google ScholarDigital Library
- Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T. Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of 13th international conference on World Wide Web (WWW'06), pages 40--52, 2006. Google ScholarDigital Library
- ING direct privacy center. https://home.ingdirect.com/privacy/privacy_security.asp?s=newsecurityfe%ature.Google Scholar
- Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao,and Dan Boneh. Protecting Browsers from DNS Rebinding Attacks. In 14th ACM Conference on Computer and Communications Security (CCS '07), November 2007. Google ScholarDigital Library
- Collin Jackson, Daniel R. Simon, Desney S. Tan, and Adam Barth. An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In Proceedings of Usable Security (USEC '07), February 2007. Google ScholarDigital Library
- Martin Johns. On XSRF and Why You Should Care. Talk at the PacSec 2006 conference, http://www.informatik.uni-hamburg.de/SVS/personnel/martin/psj06johns-e.%pdf,November 2006.Google Scholar
- Martin Johns. (Somewhat) breaking the same-origin policy by undermining DNS pinning. http://shampoo.antville.org/stories/1451301/, August 2006.Google Scholar
- Martin Johns. Using Java in anti DNS-pinning attacks. http://shampoo.antville.org/stories/1566124/, February 2007.Google Scholar
- Martin Johns and Justus Winter. RequestRodeo: Client Side Protection against Session Riding. In Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pages 5--17. Departement Computerwetenschappen, Katholieke Universiteit Leuven, May 2006.Google Scholar
- Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. Preventing cross site request forgery attacks. In Proceedings of the Second IEEE Conference on Security and Privacy in Communications Networks (SecureComm), August 2006.Google ScholarCross Ref
- Kanatoko. Anti-DNS Pinning (DNS Rebinding) + Socket in FLASH. http://www.jumperz.net/index.php?i=2&a=3&b=3, January 2007.Google Scholar
- Alan H. Karp. Site-specific passwords. Technical Report HPL-2002-39R1, HP Labs, 2002.Google Scholar
- John Kelsey, Bruce Schneier, Chris Hall, and David Wagner. Secure applications of low-entropy keys. Lecture Notes in Computer Science, 1396:121--134, 1998. Google ScholarDigital Library
- V. Benjamin Livshits and Monica S. Lam. Finding security vulnerabilities in Java applications using static analysis. In Proceedings of the 14th USENIX Security Symposium, pages 271--286, August 2005. Google ScholarDigital Library
- Uriel Maimon. Universal Man-in-the-Middle Phishing Kit - why is this even news? http://www.rsa.com/blog/entry.asp?id=1160.Google Scholar
- Chris Masone, Kwang-Hyun Baek, and Sean Smith. WSKE: Web Server Key Enabled Cookies. In Proceedings of Usable Security (USEC), February 2007. Google ScholarDigital Library
- Adam Megacz. XWT Foundation Advisory: Firewall circumvention possible with all browsers. http://www.megacz.com/research/papers/sop.txt, July 2002.Google Scholar
- Microsoft. Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers. http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx.Google Scholar
- Microsoft. Mitigating cross-site scripting with HTTP-only cookies. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp.Google Scholar
- Microsoft. Microsoft security bulletin MS01-017: Erroneous VeriSign-issued digital certificates pose spoofing hazard. http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx, March 2001.Google Scholar
- Mozilla Bugzilla bug 149943 - Princeton-like exploit may be possible. https://bugzilla.mozilla.org/show_bug.cgi?id=149943.Google Scholar
- Mozilla Bugzilla bug 162871 - DNS: problems with new DNS cache ("pinning" forever). https://bugzilla.mozilla.org/show_bug.cgi?id=162871.Google Scholar
- Mozilla Bugzilla bug 205726 - nsDnsService rewrite. https://bugzilla.mozilla.org/show_bug.cgi?id=205726.Google Scholar
- Mozilla Bugzilla bug 245609 - Mozilla not getting certificate issuer from Authority Information Access CA Issuers, June 2004.Google Scholar
- mozilla.dev.security. VeriSign Class 3 Secure Server CA http://groups.google.com/group/mozilla.dev.security/browse_thread/threa%d/6830a8566de24547/0be9dea1c274d0c5, March 2007.Google Scholar
- mozilla.org. The same-origin policy. http://www.mozilla.org/projects/security/components/same-origin.html.Google Scholar
- Netcraft anti-phishing toolbar. http://toolbar.netcraft.com/.Google Scholar
- Gunter Ollmann. The pharming guide. http://www.ngssoftware.com/papers/ThePharmingGuide.pdf.Google Scholar
- Stefano Di Paola and Giorgio Fedon. Subverting Ajax. In 23rd Chaos Communication Congress, December 2006.Google Scholar
- Bryan Parno, Cynthia Kuo, and Adrian Perrig. Phoolproof phishing prevention. In Proceedings of Financial Cryptography (FC '06), February 2006. Google ScholarDigital Library
- Washington Post. Citibank Phish Spoofs 2-Factor Authentication. http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoof%s_2factor_1.html.Google Scholar
- Washington Post. Not Your Average Phishing Scam. http://blog.washingtonpost.com/securityfix/2007/01/not_your_average_ama%zon_phishi.html.Google Scholar
- PTFB Pro. http://www.ptfbpro.com/.Google Scholar
- Venugopalan Ramasubramanian and Emin Gun Sirer. Perils of transitive trust in the Domain Name System. In Proceedings of the Internet Measurement Conference (IMC), October 2005. Google ScholarDigital Library
- Nicholas Rosasco and David Larochelle. How and why more secure technologies succeed in legacy markets: Lessons from the success of SSH. In Proceedings of the Second Annual Workshop on Economics and Information Security, May 2003.Google Scholar
- Jim Roskind. Attacks against the netscape browser. Invited talk, RSA conference, April 2001.Google Scholar
- Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh, and John C. Mitchell. Stronger password authentication using browser extensions. In Proceedings of the 14th USENIX Security Symposium, pages 17--32, August 2005. Google ScholarDigital Library
- Stefan Santesson and Russell Housley. Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension. http://www.ietf.org/rfc/rfc4325.txt, December 2005.Google Scholar
- Stuart Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. Emperor's new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, May 2007. Google ScholarDigital Library
- Security Space and E-Soft. Secure Server Survey. http://www.securityspace.com/s_survey/sdata/200704/certca.html, May 2007.Google Scholar
- Rajiv Shah and Christian Sandvig. Software Defaults as De Facto Regulation: The Case of the Wireless Internet. In The 33rd Research Conference on Communication, Information, and Internet Policy, September 2005.Google Scholar
- Christopher Soghoian and Markus Jakobsson. A Deceit-Augmented Man In The Middle Attack Against Bankof America's SiteKey Service. http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-atta%ck.html, April 2007.Google Scholar
- Josh Soref. DNS: Spoofing and Pinning. http://viper.haque.net/~timeless/blog/11/.Google Scholar
- Spoofstick. http://www.spoofstick.com/.Google Scholar
- Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. Drive-by pharming. Technical Report 641, Indiana University Computer Science, December 2006.Google Scholar
- Win Treese and Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. http://tools.ietf.org/html/rfc4346, 2006.Google Scholar
- Alex Tsow. Phishing with consumer electronics - malicious home routers. In Models of Trust for the Web Workshop at the 15th International World Wide Web Conference (WWW2006), May 2006.Google Scholar
- Alex Tsow, Markus Jakobsson, Liu Yang, and Susanne Wetzel. Warkitting: the drive-by subversion of wireless home routers. Journal of Digital Forensic Practice, 1(3), November 2006.Google ScholarCross Ref
- Vanguard security center. https://flagship.vanguard.com/VGApp/hnw/content/UtilityBar/SiteHelp/Sit%eHelp/SecurityCenterOverviewContent.jsp.Google Scholar
- VeriSign. Licensing VeriSign Certificates Securing Multiple Web Server and Domain Configurations. http://www.verisign.com/static/001496.pdf, June 2005.Google Scholar
- VivilProject. List of public DNS servers.Google Scholar
- Min Wu, Robert C. Miller, and Simson Garfinkel. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 601--610, 2006. Google ScholarDigital Library
- Min Wu, Robert C. Miller, and Greg Little. Web wallet: Preventing phishing attacks by revealing user intentions. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), pages 102--113, July 2006. Google ScholarDigital Library
- Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium, pages 179--192, August 2006. Google ScholarDigital Library
- Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, pages 121--136, August 2006. Google ScholarDigital Library
- Yahoo sign-in seal. http://security.yahoo.com/.Google Scholar
- Eileen Ye and Sean Smith. Trusted paths for browsers. In Proceedings of the 11th USENIX Security Symposium, pages 263--279, August 2002. Google ScholarDigital Library
- Ka-Ping Yee and Kragen Sitaker. Passpet: Convenient password management and phishing protection. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), pages 32--43, July 2006. Google ScholarDigital Library
- Tatu Ylonen. SSH - secure login connections over the Internet. In Proceedings of the 6th USENIX Security Symposium, pages 37--42, 1996. Google ScholarDigital Library
- Jim Youll. Fraud vulnerabilities in SiteKey security at Bank of America. cr-labs.com/publications/SiteKey-20060718.pdf, July 2006.Google Scholar
- Yue Zhang, Serge Egelman, Lorrie Faith Cranor, and Jason Hong. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), February 2007.Google Scholar
Index Terms
- Dynamic pharming attacks and locked same-origin policies for web browsers
Recommendations
Protecting browsers from cross-origin CSS attacks
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityCross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, ...
Forcehttps: protecting high-security web sites from network attacks
WWW '08: Proceedings of the 17th international conference on World Wide WebAs wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users from network attackers, but real-world deployments must cope with misconfigured servers, ...
Protecting browsers from dns rebinding attacks
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityDNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash and Java. These attacks can ...
Comments