Comments: Browser Security UI: the horns of the dilemma

My oft repeated comments were that we had signoff on the webserver to payment gateway ... but we couldn't dictate the webserver to browser .... and almost immediately, merchants found that SSL cut webserver thruput 85-95% and so they dropped back to just using SSL with a payment/checkout button.

so the latest in this

Google's Obfuscated TCP
http://it.slashdot.org/it/08/10/08/0025258.shtml
Obfuscated TCP
http://code.google.com/p/obstcp/

However, SSL was to address two issues

1) validating that the website you think you are talking to, is the website you are talking to

2) hide information

The big problem with conditioning endusers to clicking on buttons from unvalidated sources ... is the validating part is broken.

SSL required the end user understand the relationship between the webserver they thought they were talking to and the corresponding URL ... and then the browser SSL code provided the assurance between the URL and webserver they were talking to. With the checkout/pay paradigm button clicking (provided from a non-SSL validated source), the paradigm degenerated to the webserver is whatever webserver that it claimed to be (since an unvalidated source was providing the URL, not the enduser from validated source).

recent related threads:
http://www.garlic.com/~lynn/2008n.html#96 Wachovia Bank web site
http://www.garlic.com/~lynn/2008n.html#100 Wachovia Bank web site
http://www.garlic.com/~lynn/2008o.html#4 Wachovia Bank web site
http://www.garlic.com/~lynn/2008.html#9 Homebanking authentication methods

Posted by Lynn Wheeler at October 8, 2008 10:29 AM

The obvious Barefruit attack can be extended to a more subtle attack. When Barefruit pretends to be a subdomain it breaks the browser cookie security model, enabling malicious content distributed by a compromised Barefruit to set cookies for the parent domain, thus enabling cross-site request forgery attacks to penetrate the "value in form element must match value in cookie" defense. Indeed, most web security depends on cookies and therefore on browser cookie rules, which depend in turn on DNS results. Barefruit and all the other MITM advertising servers deliberately break DNS, break the cookie security rules as a side effect, and break website security in consequence.

Posted by Mark Seecof at October 9, 2008 02:47 PM
Post a comment









Remember personal info?






Hit Preview to see your comment. 
MT::App::Comments=HASH(0x55c13e7b7658) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.