Wednesday, October 14, 2009

The Broken Web Browser Model

On episode #217 of Security Now, there is a great discussion about a recently-publicized idea that the web browser is inherently broken and easily susceptible to man-in-the-middle attacks. A hacker that goes by the moniker Moxie Marlinspike recently released a paper and demonstration at Black Hat 2009 about how easy it is to fake an SSL certificate, and how easy it is to intercept a user’s traffic on a LAN, even when the user thinks he is visiting a secure site.

Since most web pages are not encrypted over an SSL/TLS connection by default (for example, going to takes you to an unencrypted page), the traffic on that page is in the clear and can easily be monitored by anyone with the right tools sniffing the network traffic on your local area network (such as in a coffee shop or other public Wi-Fi hot spot). If you login to Paypal, it isn't until you click the login button that your credentials get passed to the server via an encrypted HTTPS connection. Since the web page is not initially encrypted, an attacker who has inserted himself can intercept the network traffic, strip out the HTTPS request (the secure SSL/TLS request), and replace it with an HTTP (unencrypted) request. The attacker now has the login credentials of the PayPal user and the attacker then seamlessly passes on the request to PayPal, and then passes it back to the user. The only clue the user has that he has been compromised is the fact that the page that gets returned is not encrypted (by looking for the https:// prefix in the address bar, or the “padlock” icon).

Most users just assume when they go to PayPal that the web site will handle security. However, Steve Gibson of Security Now proposes a fundamental change in the way web browsers work, requiring that all pages be encrypted HTTPS from the beginning, and not just when you click the login button, which everyone assumes will be encrypted. Watch an interview with Moxie Marlinspike.


  1. I suppose that's true, but in the same breath, he's essentially pointed out why the attack against SSL *doesn't* work: the user is signalled that the connection is insecure (by various means: a missing padlock icon, a lack of https in the URL, a non-green address bar in IE8). What he's highlighting is a lack of user-education; users don't understand https in general.

    I don't think this is a fundamental failure of browsers, but it is something that browsers need to do a better job of: alerting users that their connection is insecure. It's difficult to strike a balance between notifying users on the one hand and annoying users on the other (as witnessed by the annoyance of UAC in Windows Vista). How do you unobtrusively alert users when they're about to do something dangerous?

  2. Very good point. Indeed there is a great need to educate users on what to watch out for. I think at one point Moxie even mentions injecting a "padlock" favicon.ico to further trick the user into thinking that they're on a secure connection. Most users I know would probably fall for that.