CFA/Security-Notes: Difference between revisions

From MozillaWiki
< CFA
Jump to navigation Jump to search
 
(36 intermediate revisions by the same user not shown)
Line 11: Line 11:
= Research =
= Research =
== General capabilities ==
== General capabilities ==
The following will be done in a table with notes and observations following as footnotes.


*- include malware detection and anti-phishing as security categories
=== Malware Detection ===
* - identify capabilities before diving in
* Prevent malware attacks
* - exclude "private browsing"/privacy
** Tell me if a download is suspected malware (FF3)
** Using virtual machine techniques (GreenBorder)
** Real-time with behavior-based profiling algorithms (Finjan SecureBrowsing FF extension, Haute Secure)
** Integrate sandboxing feature like Sandboxie; integrate virus scanning and malware protection for retrieved content/files (FF brainstorm)
** Protected Mode - runs in isolation from other applications in the OS.  Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent (IE7)
** Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites (IE)
* Preventative options
** Ability to disable handling and downloading of certain file types (FF brainstorm)
** Extension installation - one click to permanently add site to whitelist (FF brainstorm)
** Removes spyware (IE extension SpyWall Anti-Spyware)
* Notifications
** Notification whenever downloading or installing software (FF2)
** Warn me when sites try to install add-ons (FF)


* -openID
=== Anti-Phishing ===
* - users click through warnings dialogs, ignore security indicators, and focus on completing tasks. security indicators are out of the way and hard to interpret, terminology is confusing
* - security UI must balance obviousness with unintrusiveness, convey clarity in reasonable size, and reflect complexity with simplicity - talk to Jonathan Nightingale


* Highlight URL domain name in address bar (in FF3)
* Address bar protection - every window, including pop-ups, will show you an address bar (IE)
* Ability to disable AJAX on certain sites; notify user if asynchronous calls are being made on user's behalf (FF brainstorm)
* Tell me if the site I'm visiting is a suspected forgery (phishing), and offer to take user to search page to find the real website they were looking for (FF)
** Check using a downloaded list of suspected sites
** Check by asking Google about each site I visit
* Phishing Protection (FF brainstorm)
** Make it easier to report phishing sites
** Implement phishing filter that learns automatically; integrate w/ PhishTank
* Blacklisting of malicious websites (FF3)
* Safe browsing whitelist
* FirePhish - uses Open Phishing DB to provide user with info and tools to protect against phishing attacks (FF extension)
** Blinking-red warning when entering high-risk phishing-suspected sites
** Green frame around location bar when entering sites on your safe list
* EV certificates (FF3)
** Clear UI to indicate identity verified
* Security status bar - color-coded notifications appear next to the address bar to notify user of website security and privacy settings.  Address Bar turns green for websites bearing new High Assurance certificates (IE7, VeriSign EV Green Bar FF Extension)
* International domain name anti-spoofing - notifies user when visually similar characters in the URL are not expressed in the same language (IE)
* openID - decentralized single sign-on system that is possibly vulnerable to phishing attacks
* Surf by IP protection (FF brainstorm)
** Disallow visiting sites by IP address (IP anywhere in URL)
** Allow local LAN IPs
* iTrustPage - anti-phishing tool that prevents users from filling out suspicious web forms, and suggests corresponding legitimate form (FF extension)


* bookmarklets
=== Content Enabling ===
*blacklisting
* NoScript - allows JavaScript, Java and other executable content to run only from trusted domains of your choice (FF extension)
*whitelisting
* Enable plug-ins (Safari)
*AJAX
** Block flash animations (Camino)
*surf by ip protection
* Load images automatically (FF)
* download actions - don't downloda
* Enable Java (FF)
* security preferences
** Click to run applets (Omniweb)
* phishing protection
* Enable JavaScript (FF)
** make easier to report phishing sites
** YesScript - JavaScript blacklist (FF extension)
** implementing phishing filter that learns automatically - integration w/ phishTank
** Allow scripts to: (FF)
*script execution
*** Move or resize existing windows
* pop ups
*** Raise or lower windows
* secure defaults/ no security pop-ups
*** Disable or replace context menus
* restricted javascript
*** Hide the status bar
* cookies
*** Change status bar text
*extension installation
*** Reorder windows (OmniWeb)
* virus/malware protection
* Block pop-up windows (FF)
* highlight URL domain name in address bar
* Block web advertising (Camino)
* Adblock Plus - block ads and banners on webpages (FF extension)


=== Cookies ===
* Accepting cookies (FF)
** Exceptions (FF)
** Show cookies/cookie manager (FF)
** Discard when quitting (FF)
** Only from the current site (OmniWeb)


* Phishing Protection - warn users of suspected forgery (phishing) sites, and offer to take user to search page to find the real Web site they were looking for.
=== Passwords ===
* Remember passwords for sites (FF)
** Exceptions
** Show passwords
* Use a master password (FF)
** Change master password
* Enhanced password manager (IE extension - 1-Click SignupShield Suite)
** automatically fills out forms
** generates unlimited number of encrypted, unique passwords and disposable email addresses
* Browser handles password generation; single password (FF extension - Magic Password Generator, IE extension - Password Scrambler)
** Uniquely scrambles your single password for every site you visit


* Automated Update - always checks to see if you’re running the latest version, and notifies you when a security update is available.
=== Warning Messages ===
* Secure Defaults/No Security Pop-ups - remove security pop-ups because users are trained to click on the default button to complete their task. Use secure defaults instead, and only provide notifications at the top of the browser (FF brainstorm)
* Fix my settings - instantly reset internet security settings to "medium-high" default by clicking option in Information Bar.  The browser warns user with Information Bar when current security settings may put you at risk.  The bar continues to remind you as long as settings remain unsafe.  Internet Control Panel highlights critical items in red when they are unsafely configured. (IE7)
* Bookmarklets - warn users when attempting to bookmark javascript code (FF brainstorm)
* Show a warning dialog when (FF)
** I am about to view an encrypted page.
** I am about to view a page that uses low-grade encryption
** I leave an encrypted page for one that isn't encrypted
** I submit information that's not encrypted
** I'm about to view an encrypted page that contains some unencrypted information
*** Lock icon is crossed out, and address bar turns red
** Warn when sending form data by email (iCab)


* Protection from Spyware - notification whenever downloading or installing software
=== Encryption (Protocols and Certificates) ===
* Lock icon - provides detailed information about the site's security certificate (in FF)
* Digital signature information - provides more information about the publisher of a program and whether the program is digitally signed (IE Screenshot)
* Use SSL 3.0 Protocol (FF)
* Use SSL 2.0 Protocol (Flock)
* Use TLS 1.1 Protocol (Opera)
* Use TLS 1.0 Protocol (FF)
* Certificate options (FF)


* Clear Private Data - ability to clear all your private Web browsing data
=== Other ===
** setup Maxthon Browser to clear all your browsing information automatically when it closes.
* Automated update - always checks to see if you're running the latest version, and notifies you when a security update is available (FF)
 
* Word of mouth security
* Downloads - if web page uses script to try to pop up a download box and force you to deal with it, IE intercepts the script and displays a prompt in the Info bar instead. (IE screenshot)
** Social networks - 7 of your Facebook friends have purchased from this site
 
** Personal sources - Your computer-savvy cousin says this site is safe
* Digital Signature Information - provides more information about the publisher of a program as well as whether the program is digitally signed (IE screenshot)
** Online ratings - This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2
 
* Security history
* Options
** You've been to this site before
** warn me when sites try to install add-ons
** Nothing has changed since the last time you were at this site
*** exceptions
** You're sending a password to a site that you've never visited
** tell me if the site i'm visiting is a suspected forgery (phishing)
* Page Security Scoring - use standard formula to calculate a score to provide consistent and trustworthy security context semantic to users
*** check using a downloaded list of suspected sites
* Browser Lock Down - remove security decisions from the user as much as possible; determine behavior based on configuration
*** check by asking Google about each site I visit
** remember passwords for sites
*** exceptions
** use a master password
** security warnings
*** i am about to view an encrypted page
*** i am about to view a page that uses low-grade encryption
*** i leave an encrypted page for one that isn't encrypted
*** i submit information that's not encrypted
*** i'm about to view an encrypted page that contains some unencrypted information
** encryption
*** Use SSL 3.0 Protocol
*** Use TLS 1.0 Protocol
*** Certificates
** enable plug-ins (safari)
** enable java (safari)
** enable javascript (safari)
** block pop-up windows (safari)
** accepting cookies (safari)
 
* Extensions
** NoScript - It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, and guards the "trust boundaries" against cross-site scripting attacks (XSS)
 
* ActiveX opt-in - Disable nearly all pre-installed ActiveX controls to prevent potentially vulnerable controls from being exposed to attack. You can easily enable or disable ActiveX controls as needed through the Information Bar and the Add-on Manager. (IE)
 
* Security Status bar - Color-coded notifications appear next to the address bar to make you aware of website security and privacy settings. The Address Bar changes to green for websites bearing new High Assurance certificates, indicating the site owner has completed extensive identity verification checks. Phishing Filter notifications, certificate names, and the gold padlock icon also appear next to the address bar for better visibility. You can easily display certificate and privacy detail information with a single click on the Security Status bar. (IE)
 
* Cross-domain barriers - Internet Explorer 7 helps to prevent the script on webpages from interacting with content from other domains or windows. This enhanced safeguard gives you additional protection against malware by helping to prevent malicious websites from manipulating flaws in other websites or causing you to download undesired content or software. (IE)
 
* Address bar protection - Every window, whether it's a pop-up or standard window, will show you an address bar, helping to block malicious sites from emulating trusted sites. (IE)
 
* International domain name anti-spoofing - In addition to adding support for International Domain Names in URLs, Internet Explorer also notifies you when visually similar characters in the URL are not expressed in the same language—protecting you against sites that could otherwise appear as known, trustworthy sites. (IE)


* URL handling security - Redesigned URL parsing ensures consistent processing and minimizes possible exploits. The new URL handler helps centralize critical data parsing and increases data consistency throughout the application. (IE)
* Personally Identifiable Information Bar
* Secure Remote Password Protocol
* Watch for credit card numbers going out on the wire


* Fix My Settings - To help protect you from browsing with unsafe settings, Internet Explorer 7 warns you with an Information Bar when current security settings may put you at risk. Within the Internet Control Panel, you will see certain critical items highlighted in red when they are unsafely configured. The Information Bar will continue to remind you as long as the settings remain unsafe. You can instantly reset Internet security settings to the "Medium-High" default level by clicking the "Fix My Settings" option in the Information Bar.  (IE)
== Pain Points ==
 
* Users ignore security indicators and click through warning dialogs (analogy is "whack-a-mole"); focus is on completing tasks
* Protected mode Internet Explorer 7 in Windows Vista runs in isolation from other applications in the operating system. It restricts exploits and malicious software from writing to any location beyond Temporary Internet Files without explicit user consent. (IE)
** Security indicators are out of the way and hard to interpret; terminology is confusing
 
*** Security UI needs to be clear and simple
 
*** In certain situations, it may help if the browser makes a decision for the user while still offering the user another option
=== Malware detection ===
*** Security UI must balance obviousness with unintrusiveness, convey clarity in reasonable size, and reflect complexity with simplicity - talk to Jonathan Nightingale
=== Anti-phishing ===
=== Other ===


== Browsers to investigate ==
== Browsers to investigate ==
Line 124: Line 159:
* CookieCuller
* CookieCuller
* CookiePie
* CookiePie
* VeriSign EV Green Bar Extension
* FirePhish Anti-Phishing Extension
* PhishTank SiteChecker
* Finjan SecureBrowsing
* iTrustPage
* YesScript - JavaScript blacklist
* PwdHash - automatically generates per-site passwords, and the same password for each subdomain; prevents JavaScript from reading your password as it is typed


=== Safari ===
=== Internet Explorer ===
==== Online Protection ====
* SpyWall Anti-Spyware - IE sandbox blocks attacks encountered while browsing the web; detects and removes spyware (not free)
* 1-Click SignupShield Suite - enhanced password manager; protects against phishing fraud and automatically fills out forms; generates unlimited number of unique passwords and disposable Email addresses for signing up to Web sites. It fills sign-up forms and encrypts passwords and Email addresses for later use during sign-in. When you need to sign-in to a Web site, SignupShield automatically retrieves the correct e-mail address and password and fills in the sign-in form for you (not free)
* McAfee SiteAdvisor for IE - protects from spyware, adware, spam, viruses, browser exploits, and online scams. SiteAdvisor has safety ratings.
* Password Scrambler - automatically present unique passwords to the sites you visit, generated from a unique master password you choose. It achieves this by uniquely scrambling your password for every site you visit, so every site gets a unique, secure and hard-to-guess password, while you only remember one.


==== Parental Controls ====
==== Pop-up Blockers ====
==== Privacy ====


== Web services/apps to investigate ==
== Web services/apps to investigate ==


== Desktop apps to investigate ==
== Desktop apps to investigate ==
* Haute Secure - prevent malware attacks in real-time with behavior-based profiling algorithms
* GreenBorder - prevents malware attacks using virtual machine techniques


= Results =
= Results =
Line 137: Line 189:


= References =
= References =
* [http://www.microsoft.com/downloads/details.aspx?FamilyId=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en Internet Explorer 7 Desktop Security Guide]

Latest revision as of 22:43, 10 August 2007

« Comparative Feature Analyses
« Security Research

Purpose

Examine a bunch of browsers, existing Firefox Add-ons, and web services to generate a report that describes:

  • Which capabilities each has
  • A summary of where each is different/unique
  • Some conclusions about which aspects seem most innovative and interesting that we might want to consider for Firefox

Research

General capabilities

Malware Detection

  • Prevent malware attacks
    • Tell me if a download is suspected malware (FF3)
    • Using virtual machine techniques (GreenBorder)
    • Real-time with behavior-based profiling algorithms (Finjan SecureBrowsing FF extension, Haute Secure)
    • Integrate sandboxing feature like Sandboxie; integrate virus scanning and malware protection for retrieved content/files (FF brainstorm)
    • Protected Mode - runs in isolation from other applications in the OS. Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent (IE7)
    • Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites (IE)
  • Preventative options
    • Ability to disable handling and downloading of certain file types (FF brainstorm)
    • Extension installation - one click to permanently add site to whitelist (FF brainstorm)
    • Removes spyware (IE extension SpyWall Anti-Spyware)
  • Notifications
    • Notification whenever downloading or installing software (FF2)
    • Warn me when sites try to install add-ons (FF)

Anti-Phishing

  • Highlight URL domain name in address bar (in FF3)
  • Address bar protection - every window, including pop-ups, will show you an address bar (IE)
  • Ability to disable AJAX on certain sites; notify user if asynchronous calls are being made on user's behalf (FF brainstorm)
  • Tell me if the site I'm visiting is a suspected forgery (phishing), and offer to take user to search page to find the real website they were looking for (FF)
    • Check using a downloaded list of suspected sites
    • Check by asking Google about each site I visit
  • Phishing Protection (FF brainstorm)
    • Make it easier to report phishing sites
    • Implement phishing filter that learns automatically; integrate w/ PhishTank
  • Blacklisting of malicious websites (FF3)
  • Safe browsing whitelist
  • FirePhish - uses Open Phishing DB to provide user with info and tools to protect against phishing attacks (FF extension)
    • Blinking-red warning when entering high-risk phishing-suspected sites
    • Green frame around location bar when entering sites on your safe list
  • EV certificates (FF3)
    • Clear UI to indicate identity verified
  • Security status bar - color-coded notifications appear next to the address bar to notify user of website security and privacy settings. Address Bar turns green for websites bearing new High Assurance certificates (IE7, VeriSign EV Green Bar FF Extension)
  • International domain name anti-spoofing - notifies user when visually similar characters in the URL are not expressed in the same language (IE)
  • openID - decentralized single sign-on system that is possibly vulnerable to phishing attacks
  • Surf by IP protection (FF brainstorm)
    • Disallow visiting sites by IP address (IP anywhere in URL)
    • Allow local LAN IPs
  • iTrustPage - anti-phishing tool that prevents users from filling out suspicious web forms, and suggests corresponding legitimate form (FF extension)

Content Enabling

  • NoScript - allows JavaScript, Java and other executable content to run only from trusted domains of your choice (FF extension)
  • Enable plug-ins (Safari)
    • Block flash animations (Camino)
  • Load images automatically (FF)
  • Enable Java (FF)
    • Click to run applets (Omniweb)
  • Enable JavaScript (FF)
    • YesScript - JavaScript blacklist (FF extension)
    • Allow scripts to: (FF)
      • Move or resize existing windows
      • Raise or lower windows
      • Disable or replace context menus
      • Hide the status bar
      • Change status bar text
      • Reorder windows (OmniWeb)
  • Block pop-up windows (FF)
  • Block web advertising (Camino)
  • Adblock Plus - block ads and banners on webpages (FF extension)

Cookies

  • Accepting cookies (FF)
    • Exceptions (FF)
    • Show cookies/cookie manager (FF)
    • Discard when quitting (FF)
    • Only from the current site (OmniWeb)

Passwords

  • Remember passwords for sites (FF)
    • Exceptions
    • Show passwords
  • Use a master password (FF)
    • Change master password
  • Enhanced password manager (IE extension - 1-Click SignupShield Suite)
    • automatically fills out forms
    • generates unlimited number of encrypted, unique passwords and disposable email addresses
  • Browser handles password generation; single password (FF extension - Magic Password Generator, IE extension - Password Scrambler)
    • Uniquely scrambles your single password for every site you visit

Warning Messages

  • Secure Defaults/No Security Pop-ups - remove security pop-ups because users are trained to click on the default button to complete their task. Use secure defaults instead, and only provide notifications at the top of the browser (FF brainstorm)
  • Fix my settings - instantly reset internet security settings to "medium-high" default by clicking option in Information Bar. The browser warns user with Information Bar when current security settings may put you at risk. The bar continues to remind you as long as settings remain unsafe. Internet Control Panel highlights critical items in red when they are unsafely configured. (IE7)
  • Bookmarklets - warn users when attempting to bookmark javascript code (FF brainstorm)
  • Show a warning dialog when (FF)
    • I am about to view an encrypted page.
    • I am about to view a page that uses low-grade encryption
    • I leave an encrypted page for one that isn't encrypted
    • I submit information that's not encrypted
    • I'm about to view an encrypted page that contains some unencrypted information
      • Lock icon is crossed out, and address bar turns red
    • Warn when sending form data by email (iCab)

Encryption (Protocols and Certificates)

  • Lock icon - provides detailed information about the site's security certificate (in FF)
  • Digital signature information - provides more information about the publisher of a program and whether the program is digitally signed (IE Screenshot)
  • Use SSL 3.0 Protocol (FF)
  • Use SSL 2.0 Protocol (Flock)
  • Use TLS 1.1 Protocol (Opera)
  • Use TLS 1.0 Protocol (FF)
  • Certificate options (FF)

Other

  • Automated update - always checks to see if you're running the latest version, and notifies you when a security update is available (FF)
  • Word of mouth security
    • Social networks - 7 of your Facebook friends have purchased from this site
    • Personal sources - Your computer-savvy cousin says this site is safe
    • Online ratings - This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2
  • Security history
    • You've been to this site before
    • Nothing has changed since the last time you were at this site
    • You're sending a password to a site that you've never visited
  • Page Security Scoring - use standard formula to calculate a score to provide consistent and trustworthy security context semantic to users
  • Browser Lock Down - remove security decisions from the user as much as possible; determine behavior based on configuration
  • Personally Identifiable Information Bar
  • Secure Remote Password Protocol
  • Watch for credit card numbers going out on the wire

Pain Points

  • Users ignore security indicators and click through warning dialogs (analogy is "whack-a-mole"); focus is on completing tasks
    • Security indicators are out of the way and hard to interpret; terminology is confusing
      • Security UI needs to be clear and simple
      • In certain situations, it may help if the browser makes a decision for the user while still offering the user another option
      • Security UI must balance obviousness with unintrusiveness, convey clarity in reasonable size, and reflect complexity with simplicity - talk to Jonathan Nightingale

Browsers to investigate

  • Firefox 2
  • Camino
  • Flock
  • iCab
  • IE 7
  • Maxthon
  • Netscape
  • OmniWeb
  • Opera
  • Safari
  • SeaMonkey
  • Shiira

Add-ons to investigate

Firefox

  • Adblock
  • NoScript
  • CookieCuller
  • CookiePie
  • VeriSign EV Green Bar Extension
  • FirePhish Anti-Phishing Extension
  • PhishTank SiteChecker
  • Finjan SecureBrowsing
  • iTrustPage
  • YesScript - JavaScript blacklist
  • PwdHash - automatically generates per-site passwords, and the same password for each subdomain; prevents JavaScript from reading your password as it is typed

Internet Explorer

Online Protection

  • SpyWall Anti-Spyware - IE sandbox blocks attacks encountered while browsing the web; detects and removes spyware (not free)
  • 1-Click SignupShield Suite - enhanced password manager; protects against phishing fraud and automatically fills out forms; generates unlimited number of unique passwords and disposable Email addresses for signing up to Web sites. It fills sign-up forms and encrypts passwords and Email addresses for later use during sign-in. When you need to sign-in to a Web site, SignupShield automatically retrieves the correct e-mail address and password and fills in the sign-in form for you (not free)
  • McAfee SiteAdvisor for IE - protects from spyware, adware, spam, viruses, browser exploits, and online scams. SiteAdvisor has safety ratings.
  • Password Scrambler - automatically present unique passwords to the sites you visit, generated from a unique master password you choose. It achieves this by uniquely scrambling your password for every site you visit, so every site gets a unique, secure and hard-to-guess password, while you only remember one.

Parental Controls

Pop-up Blockers

Privacy

Web services/apps to investigate

Desktop apps to investigate

  • Haute Secure - prevent malware attacks in real-time with behavior-based profiling algorithms
  • GreenBorder - prevents malware attacks using virtual machine techniques

Results

Summary of unique and/or innovative features

Conclusions

References

Retrieved from "https://wiki.mozilla.org/index.php?title=CFA/Security-Notes&oldid=65160"