Friday, May 21, 2010

No Website Left Behind: Are We Making Web Security Only For The Elite?

This is an annotated version of my presentation at W2SP 2010, since I realized my slides by themselves are missing a lot of the story. The full paper is available from the conference website and I should be putting up an HTML version shortly.

w2sp: Slide 0: No Web Site Left Behind: Are we making web security only for the elite?

Hi, I'm Terri, and I'm here to talk about whether we're excluding some very important people when it comes to web security.

The first thing you need to know is that...

w2sp: Slide 1: Page Creators are not all Programmers

And of course you knew that, because we all know the Internet is actually run by cats.

w2sp: Slide 2: The Internet is run by cats

... and we all know that cats aren't programmers; they're artists.

w2sp: Slide 3: Cats are artists

Seriously, though, many of the people who do web design professionally are artists, not programmers. You can see this through the job titles used and other services offered by many web design firms.

w2sp: Slide 4: Professional web page creators often have artistic backgrounds

And then there's all the people who make pages but aren't professionals. Cat blogs, community sports team sites, small church websites, etc. are often made by non-professionals.

w2sp: Slide 5: And there are plenty of non-professional page creators too!

And in many ways, it's fantastic that all these people can make web pages. Web 2.0! Sharing! Communication! But the problem is that web security is designed for programmers.

w2sp: Slide 6: Web Security is for Programmers

So, for the purposes of visualization, let's pretend that a web page is like a car...

w2sp: Slide 7: Suppose a web site is like a car...

Thus we can imagine web security issues like cross-site scripting and cross-site request forgery are sort of like getting gremlins in your engine.

w2sp: Slide 8: Problem: Gremlins in the engine

With this analogy in mind, let's look at some of the best tools we have for fixing websites:

w2sp: Slide 9: Safer Coding Practices

The big one is safer programming practices. You take your existing website, and replace it with a new, gremlin-proof one. This is pretty programming-intensive, much like you'd need some serious mechanic skills to replace your entire car engine.

Then there's tainting or data flow analysis, which allows you to trace the path of the gremlins through your engine...

w2sp: Slide 10: Tainting

But once you've done that, you still have to patch the code so that the gremlins can't cause problems. Programming!

w2sp: Slide 11: Tainting (Fix The Code)

We've got known exploit detection, such as web application vulnerability scanners and web application firewalls. They tell you exactly where and what kind of gremlins you have.

w2sp: Slide 12: Known Exploit Detection

But while they might protect you for a time, best practice still says you should fix your code.

w2sp: Slide 13: Known Exploit Detection (Fix The Code)

And then there's the cool mashup protections which help you fix your code to provide isolation between components so that the gremlins can't breed in your engine. But they mostly involve a lot of coding to implement.

w2sp: Slide 14: Mashup Protections

Even the language of security is heavily oriented towards programmers. The documentation for Mozilla CSP even includes set theory notation! Not exactly friendly for artists.

w2sp: Slide 15: The Language of Security

Some of the organizations that do the best job of communicating (web) security flaws tend to be intimidating to non-programmers, and really send the message “If you're not a programmer, this isn't for you.” This is not the message we want to send!

w2sp: Slide 16: Non-Programmers still need Security

Because non-programmers really do need security.

w2sp: Slide 17: The Web is a Target

The web is a big target, and attackers aren't limiting themselves to big sites – automated attacks make it worthwhile to compromise even smaller targets. Lots of attackers are interested in sending spam, SEO, evading blacklists, etc. all of which can utilize smaller sites. And the attacks aren't always where you'd expect: Did you know your Facebook account is currently worth more on the black market than your credit card?

w2sp: Slide 18: Design choices affect security

But if you're thinking “So, we just let the designers design and handle security at the programming layer below,” you're missing two important points:

First, smaller sites may not have anyone who can handle security, period.

And second, the design of a page actually affects the security of a page. For example, if you put an advertisement on a page with a form, you've just given that advertiser or advertising server access to your user's data. Programming under the hood can't fix that; it's done on the client side. A lot of “small” sites will use a variety of cut-and-paste code that they found elsewhere, increasing their risks even though they may not realize it.

w2sp: Slide 19: So... Now What?

So... that's not terribly good. What can we do about it?

w2sp: Slide 20: Security costs may outweigh risks

Before we propose any solutions, we need to keep in mind that the cost/benefit ratio for smaller sites may be very different from what we expect. Users will reject security advice if it's more costly to implement than their risks are. And for non-technical site creators, the cost of learning security may be months of additional time, personnel, and money spent on training. Whereas how much risk is there of your community sports team website getting compromised? It may not be clear, and it may not be easy to translate into dollars.

w2sp: Slide 21: Provide more secure infrastructure and tools

So the first thing we can do is provide a more secure environment. The same origin policy already provides some basic protection to websites, and it's something designers just accept as part of the web infrastructure.

When I put together these slides, I didn't have any other ideas of what to do, but I've now seen a presentation that suggested some security restrictions that would have minimal impact on the top 100,000 websites but could improve security. (The paper is titled “On the Incoherencies in Web Browser Access Control Policies”)

It'd be really handy if graphical tools like Dreamweaver could generate secure mashups. I even talked to some students from the University of Virginia who are working on small policy additions to Ruby on Rails that could provide security – we need more work like this!

w2sp: Slide 22: Provide education (that non-programmers can understand!)

Education is also a big deal: people won't bother with better security if they don't understand the risks, and they won't fix problems correctly if they don't understand the solutions. But we have to be really careful to provide materials that make sense to the target audience of designers, and that are sufficiently short that they don't cause the costs of learning to exceed the risks.

You know how the EFF has done a great job distilling the complex privacy issues in Facebook and explaining them to the general public? We need materials like that for web security as well as privacy.

w2sp: Slide 23: Provide minimal interventions (web site first aid)

Another way we can help is by providing something akin to website first aid. If you fall and skin your knee, you know enough to wash out the wound, maybe put a bandage on it. You don't need to be a doctor to help your daughter if she trips in the playground. But right now you need to be a website surgeon to handle any security!

There's already some neat things out there: The Origin: header provides protections against XSRF with minimal effort. I worked on a system called SOMA which provided additional controls over includes in websites. But the risk is in letting these minimal interventions get too huge to be useful for average websites. I'm not a huge fan of Mozilla CSP because it's getting just too big for a quick fix. We need to put a lot of thought into optimizing policy and other solutions use for common cases and less into flexibility for unlikely edge issues.

w2sp: Slide 24: Provide Separation Between Security and Design

And of course, it'd make our lives a lot easier if we could provide more separation between security and design so that design choices wouldn't necessarily compromise your security.

w2sp: Slide 25: Offload security to others

If we had more separation between security and design of web pages, we could offload security to others. For example, the person in an organization who may care most about security are your systems administrators, because they're the ones who get woken at 4am if something goes wrong, and they're the ones who have to clean up the mess.

We may even want to consider offloading security to the users: they're the ones whose data is most at risk, and they're willing to install virus scanners and even NoScript to try to protect themselves: surely we could do better there.

And finally, there's always the option of hiring outside security experts. The costs currently are prohibitive for smaller sites, but if basic security were easier, maybe we could make this more reasonable.

One thing I've been working on is a visual system for defining security policy, so it can be integrated with design tools and so security can be articulated in a language designers already understand. I'd be happy to talk more about it if you're curious.

In conclusion, while we're doing some good work in web security, we're really limiting our impact if we don't reach out to the broader range of folk who create web pages. Making web security all sound complex, time consuming and hard at all levels may be great for our job security, but it isn't the best way to go about actually making the web safer for the world!

w2sp: Slide 26: Wrap-up and Questions

Edit: Although I was unaware of this when I wrote the paper whose title is used in this blog post, apparently "No Website Left Behind" is trademarked by Cenzic.

Saturday, May 15, 2010

Subverting Ajax

I write this on 9/15/08 but never published it for some reason. The paper I'm discussing is still interesting, though, so here's the post, years late!

Today's paper is Subverting Ajax which was published in December 2006 at the 23rd Chaos Communication Congress. It is, as one might expect from the title, an overview of ways in which Ajax (Asynchronous JavaScript And XML) can be compromised.

You might think that since this paper was from 2006, many of these flaws would be closed, but sadly, the paper seems to retain its relevancy even in 2008.

Although the focus of this paper is on Ajax, particularly the case in which an attacker has placed another layer of communication "between" the browser and the server, it also covers a number of techniques that can be used in any JavaScript based attack. For example, the wrapper used around the built-in XMLHttpRequest could potentially be used to subvert any built-in JavaScript object. Also clever is the use of proxies and iframes. To be honest, the attacks I've seen in the wild have not been this complex, but if we ever close the obvious holes we can expect that more subtle attacks would happen, and it's good to understand them in advance.

The one downside to this paper is that it is clear the the authors are not native English speakers, and I'm sorry to admit that there were places where I found their use of language distracting.

Overall, I'll have to recommend the paper, as it was recommended to me, but I have high hopes that owasp.org will produce easier to read documentation on Ajax-specific threats one of these days.

Tuesday, May 11, 2010

Will privacy issues herald the end for Facebook?

I've been seeing a lot of people talking about deleting their facebook accounts over the privacy issues. At first, I chalked it up to my twitter contacts being more aware of security issues than average (I do follow a lot of security folk), but I'm starting to see retweets from outside my own network that imply a lot of people are jumping ship:

@tonyakay: "I deleted my Facebook" is the new "I don't own a TV"


Which really probably sums it up. It's a bit pretentious and holier than thou to announce your lack of Facebook, and it's kind of a techno-elite status marker. When Wired called for an open alternative to Facebook I figured I was right on the money, and it was just a thing for tech nerds to do.

But then I started seeing things like this:

@thesixthbaron Was told by a student this morning that not having a Facebook account is now cool. #abouttime


Facebook's biggest strength is in the network effect. The more people you know who use Facebook, the more useful it becomes. Everyone says, "Oh, I have to keep my account because $some_friend_or_family_group still uses it to communicate." But if Facebook is starting to be uncool the way myspace became less cool, then there aren't going to be as many people worth keeping an account for.

It's not just the people that keep users on Facebook. No one says, "I'm too addicted to FarmVille to leave." But I'm guessing that's an issue for some. However, it turns out the games may be jumping ship too. (And if you don't want to admit you're leaving because of the games, you're probably going to say the problem was privacy, because that's what the cool kids are saying.)

So now you have fewer friends on Facebook, and you have fewer new games... will you stay, or will you find you're spending most of your time elsewhere and encouraging your friends to do the same? People will keep their accounts in case Joe from highschool wants to chat, but they'll use them less and less.

We're starting to see suggestions that the facebook ecosystem actually could collapse, not just that some tech people wish it would.

Privacy is a big deal and countries are starting to care. Those are big players, but a mass exodus of actual users now shows that it's more than a few policy-makers and the techno-elite who care: privacy may actually be a selling point for future social networks because it seems that the market is demanding it.

The question for Facebook is "at what point will enough people leave?" and the answer right now may be, "when they have somewhere else to go." And that next big thing may have to provide some pretty strong privacy guarantees to woo over enough audience. Is it possible? Yes. Will it happen? That remains to be seen.

Monday, May 10, 2010

The advertising social contract vs malvertisements: how can online advertisers earn your eyes?

I'd like to draw three related things to your attention.

First: Avast released a study on malicious advertisements in February, and the media's had some fun reporting on "malvertising" while seasoned professionals tried not to roll their eyes at yet another buzzword. (Tired of malvertising? Try "badvertisements!") Malvertising is one way legit sites get hosed: estimates say 75% of sites with malicious code are legit sites that got compromised.

Second: Back in March, Ars Technica posted a rant, "Why Ad Blocking is devastating to the sites you love." That they felt ad blocking was impacting revenue and asked people not to do it. (Note that this argument spawned rebuttals.)

Third: I went to a talk by Terry O'Reilly and Mike Tennant, as part of their book tour for The Age of Persuasion: How Marketing Ate Our Culture. (I recommend their radio show.) Among the things they talked about the advertising social contract: In exchange for your attention, advertisers give you something in return. TV advertisements subsidize programming, so they're honouring the contract. Billboards don't really give anything back to the consumer, so they're breaking it.

----

So here's where we put it all together:

Using ad blockers breaks a social contract with advertisers: namely, you get free stuff (content) in exchange for those eyes. If you're taking without exposure to the advertisements, you're "stealing."

But advertisers are breaking the contract in even worse ways with malvertising. They're basically stealing from viewers. It might not be intentional, but it's probably the equivalent of having advertisements on the TV that blare so loud that they cause hearing damage. Could you blame people for turning those off?

Ad blockers do more than keep you from seeing advertisements: they may actually make you safer.

So what to do? The advertisers can try to woo people away from ad blockers by giving more. Terry O'Reilly and Mike Tennant talked about how they like to make their ads funny: so you're giving more in terms of entertainment. What can advertisers do to give back when it comes to security and privacy?

One answer I've seen on that front comes from a surprising source: Facebook. Although Facebook isn't known for getting privacy right at all, but they are doing their darnedest to put a nice spin on their privacy violations. Sure, maybe you didn't want to share with those Facebook connect apps... but isn't is awfully convenient how other sites already know your preferences?

Unfortunately, I (and many others) don't WANT creepy customization. So in the end what they're trying to do doesn't really help with their end of the social contract at all. It may even hurt for many people. Let's just hope that later attempts are a little more generous on their side of the bargain.

You know who did it better? Burger King. Their Whopper Sacrifice where you defriended 10 people for a whopper was quite the hit. In exchange for ditching your friends and giving up some privacy, you could get a free burger. And lots of people did.

I'm not sure I'd give up more privacy and security for a burger, but I'm curious to see how the more creative advertising folk handle this challenge. If users become more aware of malicious advertising, will it even be possible to overcome this challenge and still use banner advertisements, or will we be seeing advertising in new ways?

Saturday, May 8, 2010

Why Facebook is like your psycho ex

Matt McKeon's
There's been lots of really interesting articles about the privacy changes in Facebook. My personal favourite is Matt McKeon's excellent infographic showing your (private) data spreading out further and further. (See left for mini version.)

The thing that I don't quite get is how upset every one seems to be about this.

No, hear me out. I'm not just being a smug security researcher.

I caught the 6 o'clock news on TV a few weeks ago, and tried in vain not to laugh during the segment on THE DANGERS OF TEEN SEXTING. Basically, for those of you who haven't heard, sexting is the practice of sending sexually-charged text messages and photos. According to the news segment, it is a plague upon our youth, who are too foolish to realize that those naked pictures they sent to their significant others might eventually wind up on The Internet. The segment was so over-the-top that it was begging to be parodied by some comedy group, but the take home message wasn't wrong: anything you send can be shared, so don't send stuff you don't want shared.

So, when we're seeing news where smug adults talk about how teenagers don't know any better about protecting their data (or at least their naked breasts) from public scrutiny, I'm not really sure how adults can justify being horrified and shocked that their Facebook data isn't as private as they thought it was. Tell your children not to record anything they don't want available for all time, but OMG FACEBOOK IS SHARING MY DATA?!!!

I hope teenagers everywhere are laughing.

So here's what I recommend: Treat web sites much like you would potential ex-boyfriends or ex-girlfriends. You may want to trust them now, but you can never be sure when they might go psycho and write your number in bathroom stalls and share your naked pictures with the Internet. It is, of course, safest to never share anything... but we're not wired that way. People like sharing! It'd be a bit of a lonely life if you never shared anything, and nowadays sharing includes sharing online.

But websites are about as trustworthy as the worst psycho ex: you never know when policies will change, the website will get bought out by someone who has different policies and now controls your data, or someone will exploit a security hole in the website. At least ex-friends aren't usually bought by megacorps who profit from selling all their mementos of your relationship. And probably, unlike websites, 64% of your friends don't have a security flaw.

My sister has a funny story about doing a security check for a previous job that went something like this:


The guy who was doing my clearance was old enough to have children my age, and I sort of think he might have because he was getting increasingly uncomfortable about the questions he had to ask me. When he got down to ones like, "have you ever had a threesome?" he reminded me that, "you don't have to tell me if you aren't embarrassed about it. We only care if you can be blackmailed. If you're not embarrassed, it doesn't matter."


So there you have it: As long as you're not embarrassed by the stuff you share online, it doesn't matter if it gets out.

Or if you prefer dramatic news segment style: SHARE BUT BEWARE. ;)