July 15, 2004

New Attack on Secure Browsing

Over on PGP Corp's web site, they've inadvertantly revealed a new way to futz with secure browsing [0].

Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE which doesn't load the padlock unless you add it to favourites, or some such. So you need Firefox or Konqueror or Opera, it seems.)

Whoops! That padlock is in the wrong place, but who's going to notice? It looks pretty bona fide to me, and you know, for half the browsers I use, I often can't find the darn thing anyway. This is so good, I just had to add one to my SSL page. I feel so much safer now, and it's cheaper than the ones that those snake oil vendors sell :-)

What does this mean? It's a bit of a laugh, is all, maybe. But it could fool some users, and as Mozilla Foundation recently stated, the goal is to protect those that don't know how to protect themselves. Us techies may laugh, but we'll be laughing on the other side when some phisher tricks users with the new, improved favicon-SSL.

It all puts more pressure on the oh-so-long overdue project to bring the "secure" back into "secure browsing." Microsoft have befuddled the already next-to-invisible security model even further with their favicon invention, and getting it back under control should really be a priority.

Putting the CA logo on the chrome now seems inspired - clearly the padlock is useless. See countless rants [1] listing the 4 steps needed and also a new draft paper from Amir Herzberg and Ahmad Gbara [2] exploring the use of logos on the chrome.


[0] An earlier version of this blog credited PGP Corp with this discovery. I had assumed that they had realised the security significance of the favicon with respect to the browser security model. This appears incorrect - they simply put the logo from their corporate documents there.

[1] SSL considered harmful
http://iang.org/ssl/

[2] Protecting (even) Na´ve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm

Posted by iang at July 15, 2004 08:29 AM | TrackBack
Comments

the only thing I see -- after I added to my favorites, was the favicon.ico -- done by using the code:
<link REL="shortcut icon" HREF="/favicon.ico" TYPE="image/x-icon">

- -dave

Posted by: Dave J at July 15, 2004 11:42 AM

That is what the complaint is about.

The article is claiming that with the favicon as a padlock, some peopl4e (l)users will assume it is secure.

*shrug* Like the saying goes, "Make it idiot proof and the world will make a bigger idiot."

Posted by: Jeff Dierking at July 15, 2004 11:43 AM

>>Click on http://www.pgp.com/ and you will see an SSL-protected
>>page with that cute little padlock next to domain name. And they
>>managed that over HTTP, as well! (This may not be seen in IE
>>version 5 which doesn't load the padlock unless you add it to
>>favourites, or some
>>such.)


that is the PGP icon, which looks a LOT different from the SSL-protected page icon.
The SSL icon looks like this sample
(http://www.phoenixdevelopment.co.uk/images/ssl_icon.gif). The favicon I see on the PGP site is the current, stylish icon PGP adopted with v.8

- -dave

Posted by: Dave J. at July 15, 2004 11:44 AM

At 10:55 AM 7/15/2004, you wrote:

>>The article is claiming that with the favicon as a padlock, some
>>peopl4e (l)users will assume it is secure.


so to make life easier for those folks, perhaps PGP Corp. ought change their logo entirely -- save for the product itself. You know, corporate letterhead, business cards, etc., as someone may think those items, too, are secure. :)

- -dave (just taking it one step further)

Posted by: Dave J. at July 15, 2004 11:46 AM

> that is the PGP icon, which looks a LOT different from the
> SSL-protected page icon.
> The SSL icon looks like this sample
> (http://www.phoenixdevelopment.co.uk/images/ssl_icon.gif). The
> favicon I see on the PGP site is the current, stylish icon PGP
> adopted with v.8


Ah, no Dave, that's not it - what you have there is the IE logo, or a look alike. However, the PGP padlock looks a lot like the current firefox logo.

( Admittedly, when I added the PGP padlock to my site, I was just doing that as a stop gap until I can get someone to make a favicon out of the IE logo for me. I think copying the IE padlock to be more effective protection for my webpages than the PGP padlock :-)

> so to make life easier for those folks, perhaps PGP Corp. ought
> change their logo entirely -- save for the product itself. You
> know, corporate letterhead, business cards, etc., as someone may
> think those items, too, are secure. :)

Let's see if I can clear up some of the confusion here. I'm not suggesting that PGP Corp are trying to confuse users ... nor that they should avoid doing so.

It would be ludicrous to even think of such, because a real attacker wouldn't take your suggestion of avoiding the padlock favicon so as to not confuse the users... In fact, I think PGP are doing the right thing by putting the padlock on their site, and letting people see what it means. If we all avoided this because we were scared of confusing users, then when a phisher does do it, he would enjoy the element of surprise in his attack!

iang

Posted by: Iang at July 15, 2004 11:48 AM

Dave-

I think Ian is addressing another concern, one that would not be relevant to most on this mail list.

When dealing with non-crypto aware Internet users, one of the things one points to in discussions about sending personal data over the Net is, "Look for a little lock icon on the browser. That means you have a secure channel between your desktop and Amazon's server." If they grasp that concept, you can the talk about clicking the icon and give a "cursory" look at the presented certificate. Easy enough to fake but the browser should squawk about unknown Roots.......

PGPCorp by adding that favicon *may* be confusing some who assume the lock means a secure connection. The page requires no personal data and the purchase page that does is, I'm sure, protected by SSL/TLS. So there is no danger of a security leakage.

But in the minds of some, it could be a point of confusion and they may begin to look at the address bar instead of proper browser position for assurance. Each browser has a different location, which is another security concern and should be standardized. As you pointed out, just a little bit of code places a rather official looking lock right there in the focus of the user; the address bar. Certainly a possible method of abuse at other sites.

Now the question becomes, why all of a sudden the use of favicons in address windows? I don't like them but that's me.

I think Ian's point is well taken. With constant phishing for personal data through important looking emails, a link to a fake EarthLink Accounts page with a lock favicon may bring in a fair amount of personal data by deceiving folks into believing they have a secure connection to EarthLink's servers (as an example).

Yours-
Ridge

Posted by: John Ridge Cook at July 15, 2004 11:49 AM

And this is supposed to prove what exactly? So PGP used a padlock icon as a favicon. That has nothing to do with "new attacks on secure browsing". The padlock icon is supposed ot be at the *bottom* of the browser, not to mention the fact IT LOOKS COMPLETELY DIFFERENT! If users are too stupid to realise that, too bad.

Your attempt at a sensationalist story is nothing more than FUD and BS.

Posted by: Sue Doe Nym at July 15, 2004 12:08 PM

Sue,

glad you could join us. You are absolutely right - the padlock looks nothing like a real padlock, not to mention it is on PGP's site, so it's really obscure what they will gain. Complete FUD and BS.

Luckily, phishers aren't as smart as you and can't create a proper favicon to put in their spoofed pages. Darn it, they're probably too thick to even read PGP's site, and if they were reading this blog entry, they'd know better. And, users that are too stupid to be able to spot the location change of the padlock shouldn't be allowed to use the Internet.

With security experts like you protecting us, we can all sleep well. I feel so much safer.

Posted by: Iang at July 15, 2004 12:18 PM

>That's true - this has little to do with PGP usage,
>> just with PGP Corp's discovery of this ... (come on
>> guys, tell us who figured it out :-) So, we should
>> really save the debate about how to deal with the
>> issue for other crypto developer groups.

I am not sure what you are driving at. Who figured what out?

The favicon has been around for some time, just not implimented in IE very reliably. I see favicons all over the net, and it is usually an identifying logo or image.

As to the creator of the favicon idea, I haven't a clue, try googling for it.

Posted by: Jeff Dierking at July 15, 2004 01:34 PM

>
> I am not sure what you are driving at. Who figured what out?


Specifically, who figured out that we could create a favicon that was a copy of the SSL padlock, and then potentially convince the user this means the same thing as the SSL padlock, albeit with a different position.

(One has to be up on the phishing epidemic to see the charm of this attack. Google and despair.)

Maybe I'm wrong - when I looked at the PGP site I thought they must have known what they were doing, but then someone mentioned that the logo comes from the product set, so maybe it was inadvertant?

iang

Posted by: Iang at July 15, 2004 01:35 PM

>so maybe it was inadvertent?

It was inadvertent, just jumping on the favicon bandwagon, but it shows a weakness in SSL notification as currently displayed in browsers. I've already posted warnings in our newsgroups.

I get phishing emails several times a week. Some are pretty sophisticated with fake Verisign seals and screens that *do* display the proper SSL lock but are not from a https site nor offer a certificate. The use of a lock favicon is a pretty easy way to fool the unaware. The market for personal information is huge, just 5% response could net thousands of credit card #s, SS#s, home addresses and phone #s.

Or think about bank/brokerage house log ins., what could you do with captured info like that? Most of the folks using those services would barely register the position of the security "lock".

Yep, a neat trick.

Posted by: John Ridge Cook at July 15, 2004 01:37 PM

Yes, it is just their logo. Like I said, most favicons are just the logos. It is an iteresting take on things when you take into consideration phishing.


Posted by: Jeff Dierking at July 15, 2004 01:53 PM

I'm using IE 6.0 and don't see the icon. Where exactly does it appear to others, on top, left or right side?

Posted by: Anton at July 15, 2004 04:04 PM

Anton,

It appears that with IE, you have to add the site to your favourites to trigger the favicon display. From what I can tell, Microsoft invented the favicon for one purpose - to make bookmarks easier - and other browsers have expanded the use - to make all browsing easier.

So, oddly, users of Microsoft browsers may be less vulnerable than users of Mozilla, etc.

Posted by: Iang at July 15, 2004 04:26 PM

Argh,

so what do I call you now? "Nitpicker" or "a very fine and sharp mind", can't make my mind on this one.

It only painfully demonstrates the blatant na´vity of the assumption that the PC can provide a trusted user interface. With the current spread of PDA's it becomes feasible to think about "trusted wallet devices". Yes, even in the shadow cast by the appearance of PDA viruses.

BTW, not only IE 5 doesn't show it on the address-line, but also IE 5.5 and IE 6 don't show it.

kr

Posted by: Twan at July 16, 2004 02:34 AM

Here what I saw when going to the PGP site:

Windows XP Pro:
IE 6.x: No padlock
Firefox 0.9.2: Padlock on address bar and tab

Mac OS 10.2.8:
IE 5.2: No padlock
Safari 1.0.2: Padlock on address bar but no on tab
Fixfox 0.8: Padlock on address bar and tab
Camino 0.7: Padlock on address bar and tab

You stated that http://www.pgp.com is an SL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com.

I'm not sure if PGP deliberately set out to onfuse na´ve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question.

Respectfully,
Aram Perez

Posted by: Aram at July 16, 2004 03:17 AM

Aram,

It's now pretty clear that PGP had no clue what this was all about. Apologies to all, that was my mistake. Also, to clarify, there was no SSL involved.

What we are looking at is a case of being able to put a padlock on the browser in a place that *could* be confused by a user. This is an unintended consequence of the favicon design by Microsoft.

Now, another thing becomes clearer, from your report and others: Microsoft implemented the display of the favicon only as accepted / chosen by the user. You have to add this site as a favourite.

Other browsers - the competitors - went further and displayed the favicon on arrival at the site. I guess they felt that it could be more useful than Microsoft had intended. But, in this case, it seems that they may have stumbled on something that goes too far.

What will save them in this case is that the numbers of users of such non-Microsoft browsers are relatively small. If the tables were turned, and it was Microsoft that was vulnerable, I'd confidentally predict that we would see some attempted exploits of this in the next month's phishing traffic.

Posted by: Iang at July 16, 2004 03:24 AM

And how about this one in Mozilla?

Edit|Preferences|Appearance

UNcheck 'Show website icons'

With this, you just get a generic icon and there's no possibility that you get confused about the site being SSL-secured or not. Added bonus: you don't get any singing/dancing/flashing BS from ANY site.

Posted by: Henk at July 17, 2004 03:22 AM

Here's another related attack using favicons:

http://www.opennet.ru/base/ms/1086626281_235.txt.html

Posted by: Iang at July 17, 2004 05:53 PM