Browser security plug-in protects against DNS flaw

Powered by SC Magazine
 

Researchers have developed a browser security system that protects against the recently-revealed DNS vulnerability and other Man-in-the-Middle (MitM) attacks.

Dubbed ‘Perspectives’, the system has been about 18 months in the making, and now is available as a Firefox 3 plug-in.

Perspectives addresses what the researchers perceive to be an increased risk of MitM attacks due to the increased use of wireless connections to the Internet.

Researcher David Andersen explained that it is easy for attackers to hijack unsecured hotspots, or set up their own access points to which unsuspecting users may connect.

Once connected, users are susceptible to having all of their traffic monitored or changed as the attacker’s computer relays communications between the user and the target site.

“A lot of people wouldn't even know they've been attacked,” said Andersen, who is an assistant professor of computer science at Carnegie Mellon University.

“An attacker in the same area can redirect your packets through their own computer and have their way with them,” he told iTnews.

Perspectives authenticates Web sites by employing a set of friendly sites, or ‘notaries’ that independently query the desired target site.

If one or more notaries receives authentication information that is different than that received by the browser or other notaries, the users is alerted to a potential security breech.

The authentication function is similar to that provided by certificate authorities such as VeriSign. However, researchers expect Perspectives to complement, rather than compete with, the commercially-available security systems.

“We believe that both technologies are needed,” Andersen told iTnews.

“Banks and other high-security sites really should use a CA-signed certificate - they're resistant to more classes of attacks (and different classes) than Perspectives is.”

“However, certificate authorities face an interesting problem … the system is only as good as the most insecure certificate authority trusted by your browser,” he said.

Andersen explained that there are small certificate authorities that may issue valid certificates to spoof sites. In such cases, users see a Web site with an apparently valid certificate and may proceed to use the illegitimate site.

He mentioned previous cases of attackers obtaining certificates in the name of ‘micros0ft’, while the software giant Microsoft already owns an extended validation certificate for microsoft.com.

Perspectives is expected to detect bogus sites, even in such cases, and warn the Firefox user that the site is suspicious.

By validating the digital certificates of Web sites, Perspectives also could protect against the recently-disclosed DNS vulnerability that could cause ISPs to connect users with a malicious site instead of the desired target site.

The system could be especially useful for a growing number of sites that do not use certificate authorities and instead use less expensive, ‘self-signed’ certificates.

Currently, when Firefox users attempt to access Web sites that use self-signed certificates, they are faced with a security error message.

Perspectives can automatically override the security error page for sites that appear legitimate, which researchers expect to reduce complexity and confusion for users.

The development of Perspectives was supported with grants from the U.S. Army Research Office, the National Science Foundation, and the Department of Homeland Security.

Mozilla’s Firefox 3 was chosen as a basis for development due to the accessibility of its extension framework. Andersen expressed an interest in discussing the project with Mozilla, although there so far have been no communications between the groups.

“All of the browser manufacturers have been making good strides forward in terms of the security of their browsers, but the overall browser security situation is still a mess,” Andersen said.

“I think that while we're moving out of the stone age of browser security, we're still only in the bronze age,” he said.

Perspectives currently is available as a free download from the researchers’ Web site.

The system currently is supported by a publicly-available network of notary sites developed by the Carnegie Mellon researchers, who anticipate that ISPs, universities and large companies eventually will sponsor additional notary sites.

Browser security plug-in protects against DNS flaw
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1456

Vote