▶ 15.2 Basic Web Security
The internet is a risky place, and the web offers a very large attack surface. Here we examine four basic aspects of web security:
Client policy issues: risks arising from web clients
Static website security: risks and defenses for static web pages
Server authentication: using SSL to authenticate a server
Server masquerades: techniques to masquerade as a particular server using SSL
First, we examine client policy issues. The other aspects appear in subsequent subsections.
Client Policy Issues
We looked at the evolution of internet use policies and the role of firewalls in enforcing them. (See Section 14.4.) Here we look more closely at problems arising from clients using web resources. The dilemma remains the same: Many employees use the web routinely for job-related activities, but the web also poses risks to productivity. We examine the following issues related to web client use:
■ Policy motivations and objectives
■ Strategies to manage web use
■ The tunneling dilemma
Policy Motivations and Objectives
Restrictions on web clients often arise from one or more of the following risks or worries:
■ Distractions that divert attention from business tasks
■ Network traffic that does not support enterprise objectives
■ Inappropriate content that poses legal risks
■ Malware that may infect computers via drive-by downloads
There is no doubt that some employees abuse their internet access by entertaining themselves while they should be at work. However, few reported studies have taken a truly unbiased look at the phenomenon. The available reports and anecdotes suggest that the problem varies widely among organizations and employees and even with the time of year.
Internet Policy Directives
In all cases, employees and other network users must have a clear understanding of the enterprise’s expectations. If the organization wishes to enforce standards on internet behavior, then the organization must define and publish those standards in policy directives. It is difficult to enforce an unwritten policy. It also may be difficult to fire an employee for violating an unwritten policy.
Strategies to Manage Web Use
When organizations try to manage employees’ internet use, they take three general approaches:
Traffic blocking
Monitoring
Training
Some organizations combine one or more of these techniques. We examine each technique here. Many organizations effectively control web use through a combination of monitoring and training.
Traffic Blocking
Many enterprise networks try to limit web misuse by blocking access to web content. Here are three approaches:
Website whitelist. This lists all websites that employees may visit. It is often impractical to maintain an effective whitelist. It must grant access to every site that the employees might need to get their work done. It is hard to anticipate all sites people might need to visit. If the needed site isn’t on the list, a task is delayed while the list is updated.
Content control software or website blacklist. This lists all websites that employees should not visit. Such lists are often built into commercial products, and the vendor maintains the list. In some cases, the list classifies sites according to the type of content. The network administrators may then allow access to some types of sites and block access to other types.
Web traffic scanning. Whitelists and blacklists do not eliminate the risk of malware infections via drive-by downloads. Such attacks even infect legitimate sites on occasion. Web traffic scanners search for malware in the HTML and other files returned to browsers by web servers. However, this introduces a delay in web browsing if the scanning times are excessive.
In practice, many enterprises and users rely on client-based antivirus software to resist drive-by downloading of malware.
Traffic blocking is rarely 100 percent effective. Users may employ several techniques to disguise their web traffic. These are often the same techniques that people use to ensure personal privacy on the internet (see Section 15.5). Most employers would be very unhappy with employees who used such techniques to violate the company’s acceptable-use policy.
Monitoring
We introduced the maxim Trust, but Verify (in Section 4.5). Instead of restricting user actions ahead of time with web blocking, we monitor their behavior. We use the results of monitoring to ensure that users comply with the web usage policy.
Some sites simply keep a log of URLs visited by users and examine the log for suspicious or inappropriate site names. This is not practical in larger organizations. Some sites use content control software: Instead of using it to block access, the software keeps a record of visits. The administrators then can create a report indicating the visits to different types of sites and, if necessary, narrow down visits to specific client computers and desktops.
Training
After we produce a policy directive on web use, we must ensure that the user community understands it. That naturally leads to training. A newly enacted policy requires an initial announcement and explanation to the existing user community. New users learn of the policy during an introductory orientation.
We reinforce the policy training by providing reminders to the user community. An effective reminder indicates that the policy exists and that management pays attention to it. If the enterprises monitor user behavior, then it is worthwhile to remind users of such monitoring. It is particularly effective to provide evidence of such monitoring by reporting general statistics on web use. We improve compliance if people know their work is being monitored.
The Tunneling Dilemma
Most internet-connected networks allow their users to browse the web. The site’s gateways and firewalls are configured to allow such traffic to pass. Some protocols take advantage of this: Instead of using TCP to establish their own, separate connections, the protocols travel inside HTTP traffic. We call this HTTP tunneling.
Tunneling requires a special-purpose client and a matching server. The client opens an HTTP connection to the server and they exchange packets by embedding them inside the HTTP data (FIGURE 15.8).
FIGURE 15.8 Packet format for HTTP tunneling.
Some applications have a plausible reason for tunneling. For example, some web applications that exchange XML data may embed the XML within an HTTP tunnel.
To make the tunnel work, client-side software embeds the tunneled data in an HTTP message and sends it to a tunneling server. The server extracts the tunneled data and processes it. To simple firewalls, the exchange looks like a conventional HTTP connection. In fact, the XML tunnel carries more sophisticated XML-formatted data.
Although XML tunnels may have a legitimate purpose, other applications use tunneling to circumvent firewall port filtering. For example, there are general-purpose tunneling applications that embed an entire IP packet inside the HTTP message. This allows the client to use any application protocol desired. If the local network’s firewall blocks applications on most ports except web traffic on port 80, then the general-purpose tunnel bypasses that restriction.
Several open-source and commercial packages provide general-purpose HTTP tunneling. The packages allow the user to exchange packets with any internet host using essentially any protocol. For example, the tunnel could allow a user to communicate via a special-purpose gaming protocol port, even if the local network’s firewall blocks that port.
All tunnels, including the general-purpose tunnel, require client software to embed and extract the tunneled data. The client must connect to a server that processes the tunneled data. General-purpose tunnels generally rely on a corresponding server on the public internet, outside the local network’s firewall. Some commercial packages charge a fee to use their tunneling servers.
Firewalling HTTP Tunnels
Sophisticated firewalls and monitoring systems can detect and block some types of tunneling. If the administrators use a website whitelist or can identify tunnel servers, then they can block access to those servers. Some monitoring systems may be able to examine the HTTP traffic itself and recognize tunneling protocols.
Tunneling is a variation of techniques used to achieve higher degrees of privacy while browsing on the internet. Section 15.5.2 discusses these techniques further.
Some tunneling software uses SSL to encrypt the HTTP traffic. There is no way to detect tunneling encrypted inside such a connection.
15.2.1 Static Website Security
In general, a static website presents the smallest attack surface. Visitors are unlikely to encounter injury from the site, because basic HTML does little more than display data. An HTML file could contain a script and a script could do damage; these are risks of “dynamic” websites (see Section 15.3).
As noted, a poorly designed static site might leave sensitive information visible. A website generally consists of a set of files contained within a specific directory hierarchy. We must never place files in the site’s hierarchy unless we want them visible. Anyone on the internet can retrieve any file in the hierarchy by adding the path name to the site’s URL.
Assuming we’ve eliminated sensitive information from the site’s hierarchy, site defacement remains the major risk faced by static websites. Such attacks modify the site’s files so that visitors see different web pages than intended. FIGURE 15.9 shows the result of an attack on the U.S. Senate’s home page in 1999.
FIGURE 15.9 Defaced U.S. Senate website, 1999.
Courtesy of Dr. Richard Smith.
The threat agents are often vandals who take advantage of an opportunity to deface the website. In some cases, there may be an economic or political motivation. For example, an unscrupulous competitor might deface another company’s web page. The attack on the Senate page does not carry a clear political message, suggesting that the attackers were motivated by vandalism and not political objectives.
An attacker achieves very little by attacking a static website, except perhaps publicity. A successful attack only changes the site’s visible contents. The attacker must penetrate the server’s security and actually modify the data files stored on the server.
An attacker may also change a website’s appearance by redirecting visitors to a bogus site, that is, one that masquerades as another site. Instead of actually damaging the U.S. Senate site, the attackers could have redirected visitors to a different website containing their announcements or political messages. Attackers may do this by distributing fake DNS data that contains the bogus site’s IP address or by distributing subverted routing data.
Visitors to a static site face a small number of risks. One risk arises if the site hosts any static files whose contents cause damage simply by reading them. Such “maliciously formatted files” are rare and rely on flaws in the client’s display software. In 2004, for example, Microsoft’s browsers suffered a buffer overflow when displaying a JPEG file formatted in a particularly extreme manner (the so-called “JPEG of death”). Some attackers constructed malicious JPEGs to try to take advantage of the flaw.
15.2.2 Server Authentication
We select a website to visit by selecting a URL, either by clicking a link or typing it by hand. The URL’s authority field contains the web server’s domain name—but how do we verify that we are visiting the correct site? If we are visiting an e-commerce site like eBay or Amazon, we don’t want to risk our billing information to a bogus site. How can we tell a legitimate site from a bogus one?
Informally, we can often detect a bogus site by looking for errors or inconsistencies. If we know a site well, we probably will be able to spot a fake. However, we won’t always detect a fake before we have provided a password or other secret information. Occasionally, a bogus site will practice a little social engineering by alerting us to a “website redesign” as the reason a site looks unfamiliar.
Fortunately, we rarely provide sensitive information except through SSL-protected connections. We examined SSL in Section 13.3.1. Browsers can authenticate SSL-enabled servers by checking their certificates. FIGURE 15.10 illustrates the process. When the browser opens an SSL connection, the server sends its certificate. The certificate contains the site’s domain name. If the certificate’s domain name matches the name in the URL, then the browser accepts the connection.
FIGURE 15.10 Authenticating the web server with SSL.
Although this process usually works successfully, there are cases where the authentication fails. The browser then displays a message to the user indicating that one of the following has happened:
Domain names don’t match (may be legitimate)
Untrusted CA (possibly safe, possibly not)
Expired certificate (often still safe to use)
Revoked certificate (unsafe to use)
Invalid digital signature (unsafe to use)
Mismatched Domain Name: May Be Legitimate
If the name check shown in Figure 15.10 detects a mismatch, the browser displays a warning. FIGURE 15.11 shows the warning displayed by the Firefox browser.
FIGURE 15.11 Firefox alert for a mismatched certificate name.
In the figure, the URL contained the domain name “www.ccr.gov.” Under “Technical Details,” the warning notes that the certificate contained the name “www.bpn.gov” instead.
This warning does not always indicate a fraudulent site or even a fraudulent certificate. If the organization has reorganized its site or changed site domain names, then the mismatch may be accidental. Figure 15.11 is an example of such an error; the certificate was issued by the appropriate agency, but it contained the wrong domain name.
When the URL and certificate names don’t match, we can examine the certificate ourselves and decide its legitimacy. Browsers always provide a mechanism for examining the SSL certificate being used. If we click on “I Understand the Risks” on the Firefox notice, it takes us to another screen that allows display of the certificate. FIGURE 15.12 shows the certificate associated with this error.
FIGURE 15.12 Certificate information displayed by Firefox.
We can decide to trust the certificate in Figure 15.12 based on its contents. The owner and domain name legitimately could apply to this site (the “ccr” site is for U.S. government contractors, and the Defense Logistics Agency might legitimately manage that site). The certificate display also indicates that it was signed by a recognized CA: Verisign. When judging a certificate’s legitimacy, we consider the following three questions:
Is the owning organization a legitimate entity that could reasonably be operating that website? For that matter, is it unlikely that the organization would host a bogus site?
Could the domain name in the certificate legitimately apply to the site selected by the URL? For example, there could be a partial match between the certificate’s domain name and the URL’s domain name, and yet the browser comparison still could fail. Some certificates allow different local subdomains, while others will only accept a specific subdomain like “www”—or the certificate could include a legitimate variant of the organization’s name.
Was the certificate issued by a legitimate CA?
If the answer to all three questions is “yes,” then the certificate should be trustworthy. The first question may be the hardest to answer without further research. Government agencies or well-known, reputable companies usually are trustworthy in such cases. However, there are so many small companies on the web that it’s hard to identify all of them reliably, much less assess their trustworthiness. Some well-known businesses use a third-party service company to provide sales and “shopping cart” features for their websites. Thus, we might end up using an unrecognized company to complete a sale involving a familiar brand name.
The second question is a variant of the first: It is easier to trust the site if the domain names are part of one another. However, a total mismatch doesn’t indicate a bogus site if the site’s owner is legitimate. The third question is addressed in the next section: the assessment of “untrusted” CAs.
In some cases, there is simply not enough information available to identify a legitimate site with 100 percent confidence. There will always be risks in business transactions, whether on the web, on the phone, or in person.
Untrusted Certificate Authority: Difficult to Verify
Every valid public-key certificate contains a digital signature. We validate the certificate by checking the signature, using the CA’s public key. When SSL was a new technology, it was easy to check certificates. There was only a single authority who issued certificates for SSL, and the authority’s public key was built into the browser software.
Today, there are hundreds of recognized, reputable CAs. Modern browsers maintain a built-in list of recognized CAs. The left-hand side of FIGURE 15.13 shows an example of such a list. The list includes a few representative authorities; a typical browser might contain 200 such entries.
FIGURE 15.13 Browser authenticates the bpn.gov certificate.
The built-in list contains a public-key certificate for each recognized CA. Each certificate contains the name and public key for an authority. The certificate format provides a safe and convenient way to distribute the information.
Figure 15.13 shows how Firefox used its built-in list of authorities to verify the bpn.gov certificate shown in Figure 15.12. Firefox produced an alert (Figure 15.11) indicating that the certificate’s name (bpn.gov) did not match the URL name (ccr.gov). Firefox did, however, verify the authenticity of bpn.gov’s certificate.
If a CA is not in the browser’s built-in list, then the browser cannot verify the certificate’s digital signature and thus cannot tell if the certificate is legitimate. When this happens, the browser produces a security alert like the one in Figure 15.11. This time, however, the technical details explain that the browser does not trust the authority who issued the certificate.
This poses a difficult security problem with no simple answer. The certificate in fact may be legitimate, or it may be a bogus certificate produced by an attacker. There are two ways an attacker might exploit a bogus certificate in this case:
The bogus certificate might be part of a phishing attack: The bogus site may try to trick us into disclosing login information. SSL may protect the connection, but the information we type travels directly to the attacker’s system. (See Section 14.3.2.)
The bogus certificate might be part of a bucket brigade attack. (See Section 8.6.) Again, the attacker might intercept SSL-protected login information for the legitimate site.
On the other hand, both the site and certificate might be genuine. Not all legitimate sites use CAs that appear in the browsers’ built-in lists. The U.S. military, for example, may use its own CAs to sign certificates. Public-key certificates for those authorities aren’t generally distributed with commercial browsers. Users who regularly visit those sites eliminate the alert by installing the appropriate U.S. military certificate in their browser. This allows the browser to verify the military-issued certificates automatically.
There are two strategies for dealing with an untrusted certificate:
Risky but simple: Decide to trust the certificate, but treat the site with some suspicion. If the site proves legitimate over several interactions, perhaps it is trustworthy.
Safe but complicated: Locate an SSL-protected site that can download the missing certificate for the authority. Install the certificate into the browser. Unfortunately, it isn’t always simple to locate such sites and certificates.
Expired Certificate: Possibly Bogus, Probably Not
Public-key certificates generally carry a range of effective dates; the certificate in Figure 15.12 was issued on 8/4/14 to expire on 8/5/15. Servers occasionally may use a certificate for a few weeks past its expiration date, and this is usually an administrative oversight. Even though the mistake suggests carelessness on the site’s part, it usually does not indicate a bogus site. Avoid certificates that are months or years out of date.
Revoked Certificate: Always Bogus
This error occurs if the CA actually has revoked a certificate. The authority only revokes a certificate following a request from the certificate’s owner. This occurs rarely and almost certainly indicates that the certificate is bogus.
Invalid Digital Signature: Always Bogus
This may arise if an attacker simply modifies the public-key certificate directly. For example, the attacker might leave the certificate alone, except to substitute one name for another or one public key for another. Any change to the certificate’s contents should invalidate the digital signature. This clearly indicates a bogus certificate.
15.2.3 Server Masquerades
A bogus certificate is one whose public key is not exclusively controlled by the individual or enterprise named in the certificate. For example, Kevin wants to create a bogus Amalgamated Widget site. The easiest way for Kevin to create such a site is to omit SSL entirely. Many users won’t even notice its absence.
However, Kevin wants to produce a really convincing bogus site and he wants to provide SSL. He uses a software package to construct a public-key certificate containing the name Amalgamated Widget. Because Kevin controls the private key associated with the certificate, it is a bogus certificate.
Many server masquerades rely on bogus certificates. Here are four techniques for tricking users or their browsers into accepting bogus certificates:
Bogus CA
Misleading domain name
Stolen private key
Tricked CA
These four techniques are listed in roughly the order of difficulty for the attacker, starting with the easiest.
There’s a process to verify downloaded software using digital signatures. (See Section 8.6.3.) The technique can authenticate client-side scripts and software updates. Careful software vendors use this technique—or one like it—to protect software while being transmitted across the internet.
Attackers may also use these four masquerade strategies to produce digitally signed software. When such masquerades succeed, the attacker can distribute malware that appears to be legitimate software.
Bogus Certificate Authority
There are numerous software packages, both open-source and commercial, that can construct public-key certificates. Anyone can appoint themselves to be a CA and issue certificates. Kevin did so at the beginning of the section. Once he creates the certificate and inserts the name “www.amawig.com,” he can sign it with his personal private key or he can self-sign the certificate with its own private key. (See Section 8.6.2.)
In either case, typical browsers won’t include Kevin’s public key in their built-in list of authorities. Thus, the certificate check shown in Figure 15.10 fails and the browser alerts the user.
However, the masquerade still may succeed. The user might not understand the alert and might proceed with the connection regardless. Given the millions of people who use the internet, it is likely that someone—somewhere—will ignore the browser warning and proceed.
Misleading Domain Name
The attacker has a better chance of success if the user doesn’t receive a warning from the browser. The attacker avoids the warning by using a public-key certificate that is signed by a legitimate, recognized CA. Kevin can create such a certificate for his masquerade if he uses an intentionally misleading domain name. For example, Kevin might host his bogus amawig.com site at the domain “amavig.com” or “anawig.com.” The difference may appear only in the browser’s URL window and many users won’t notice it.
The only way to detect the misleading name is to look at the URL displayed by the browser and realize that it is wrong. Even experienced computer users might not notice a subtle one-letter change. There are several ways to construct misleading names, and they generally take these forms:
■ Similar but different—This is the strategy behind Kevin’s “anawig.com” domain name.
The antiphishing tutorial at eBay.com notes how phishers have used the name “signin-ebay.com” to trick users into thinking they had arrived at “signin.ebay.com,” which clearly belongs to eBay. Early phishing attempts against Paypal users led to a site named “paypai.com,” which was easily misread as “paypal.com.”
■ Misleading syntax—Figure 15.6 showed how the domain name in a URL may contain text preceding an @ sign. Phishers have used such names to try to trick users. For example:
http://[email protected]/login.html
Although this may appear to be a URL leading to www.bank.com, all material to the left of the @ sign is really treated as a user name. In fact, most servers will ignore it. Firefox and other modern web clients produce a warning message when users try to follow URLs containing an @ sign, because it is rarely used except in phishing attempts.
■ Obfuscating syntax—Programming traditions in the C programming language treat the “null” character (a character whose code is all 0s) as the marker for the end of a text string. Many programs follow this tradition, even when underlying standards or protocols do not follow that tradition. For example, the formatting procedures for public-key certificates often allowed null characters in domain names. A security researcher discovered that this trick could hide part of a URL from the browser’s user.
We can address some of these problems by tightening the requirements on public-key certificates, like forbidding nulls and other misleading characters. Unfortunately, it’s not practical to forbid the registration of like-sounding domain names.
Many of the larger ISPs provide domain registration, SSL certificate issuance, and website-hosting services. The operations are fully integrated and automated. If Kevin registers a particular domain name, the ISP also will host a website for the domain and provide it with an SSL certificate. Kevin simply has to pay for everything with a credit card.
If Kevin manages to register a misleading domain name, he can easily set up the bogus site protected with the legitimate-looking SSL certificate. In a technical sense, Kevin isn’t using a bogus certificate, although the name suggests that Amalgamated Widget owns it and not Kevin.
This type of attack is hard to prevent ahead of time. Some organizations protect themselves by registering numerous domain names similar to their own and by redirecting those names to their website. Many vendors simply ignore the problem, except when a site tries to perform a serious masquerade.
Kevin may be liable for civil and criminal penalties if he sets up the bogus site and tricks Amalgamated’s customers. He may be guilty of trademark infringement, just by displaying Amalgamated’s logo and other imagery. If he pretends to sell products and collects the money, he may be guilty of fraud.
Even if Kevin manages to hide his ownership of this site and avoid lawsuits or prosecution, Amalgamated may take steps to shut the site down. The company can track down the ISP, contact them, and identify the site as infringing on their trademarks and copyrights. The company can also apply to ICANN (a nonprofit organization in charge of maintaining and coordinating the internet) to strip Kevin of the misleading domain name. To do so, they must successfully argue that his domain name is too similar to their trademarked name.
Stolen Private Key
This approach requires that Kevin penetrate the amawig.com server somehow and steal a copy of its private key. This makes it trivial to masquerade as the amawig.com server. He distributes Amalgamated Widget’s existing public-key certificate and uses the stolen private key to handle the SSL connections.
Technically, the amawig.com certificate becomes bogus as soon as Kevin receives a copy of its private key, because the key is no longer under the control of the legitimate owner. However, the owner probably won’t realize this has happened until Kevin’s masquerade is detected.
It is not clear how often such thefts occur. There was a notable incident in 2010 involving the Stuxnet worm. (See Section 3.2.4.) The worm distributed software signed with keys belonging to two Korean hardware vendors. Researchers suspect that the corresponding private keys were stolen by people working for the Stuxnet development team. The keys were used to sign Stuxnet software so that it could masquerade as legitimate device driver software.
In early 2014, security researchers identified a flaw in the OpenSSL software package, a widely used version of SSL encryption software. The flaw was the opposite of the buffer overflow. (See Chapter 2.) Instead of sending a network message that wrote too much data into a buffer, a network message could retrieve data beyond the end of a buffer. An attack could read up to 64KB of RAM from an unpatched server running OpenSSL. The flaw was nicknamed “Heartbleed.” A web security firm deployed a standard web server with the Heartbleed flaw and challenged people to try to retrieve the server’s SSL private keys. Within 2 days, three separate individuals took the challenge and retrieved the private keys. Although patches were promptly created and distributed to correct the Heartbleed flaw, vulnerable servers may still exist.
Tricked Certificate Authority
Another potential source of trouble is if a reputable CA issues a bogus certificate. If the authority is careless about verifying a buyer’s identity or doesn’t verify the buyer’s authority to use a particular name, then the authority might issue a bogus certificate. Such an attack occurred in 2001 when a soon-to-leave Microsoft employee tricked their CA into issuing a Microsoft-named certificate for a key that he still controlled.
Another attack occurred in 2011, when an attacker issued bogus certificates by masquerading as a CA affiliate who was authorized to issue certificates. The attacker had intercepted login credentials for a legitimate affiliate. Then he logged in and issued himself nine bogus certificates for well-known sites like Gmail and Yahoo!. The attack was made possible because the CA accepted logins via a simple user ID and password. The CA promptly detected the masquerade and issued a security alert, but it could not prevent the issuance of the bogus certificates.