DOCSLIB.ORG

An Empirical Evaluation of Security Indicators in Mobile Web Browsers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Empirical Evaluation of Security Indicators in Mobile Web Browsers IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 14, NO. 5, MAY 2015 889 An Empirical Evaluation of Security Indicators in Mobile Web Browsers Chaitrali Amrutkar, Patrick Traynor, Member, IEEE, and Paul C. van Oorschot, Member, IEEE Abstract—Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real-estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate ten mobile and two tablet browsers, representing over 90% of the market share, against the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. We show where and how these failures on mobile browsers eliminate clues previously designed for, and still present in, desktop browsers to detect attacks such as phishing and man-in-the-middle. Finally, we offer advice on where current standards are unclear or incomplete. Index Terms—Measurement, mobile security, SSL indicators, web browsers 1INTRODUCTION OBILE browsers provide a rich set of features that and tablet browsers appear to support similar security M often rival their desktop counterparts. From support indicators when compared to desktop browsers, the rea- for Javascript and access to location information to the abil- sons behind the increasing number of attacks on mobile ity for third-party applications to render content through browsers [27], [30] are not immediately clear. WebViews, browsers are beginning to serve as one of the criti- In this paper, we perform the comprehensive empirical cal enablers of modern mobile computing. Such functionality, evaluation of security indicators in mobile web browsers. in combination with the near universal implementation of The goal of this work is not to determine if average users strong cryptographic tools including SSL/TLS, allows users take advantage of such cues, but instead whether security to become increasingly reliant upon mobile devices to enable indicators are applied in a manner that allows expert users sensitive personal, social and financial exchanges. to accurately determine the identity of a website or verify In spite of the availability of SSL/TLS, mobile users the use of strong cryptographic primitives for communi- are regularly becoming the target of malicious behav- cations. We believe that this distinction is critical because ior. A 2011 report indicates that mobile users are three it highlights areas where not even the best trained users times more likely to access phishing websites than desktop will be able to differentiate between malicious and benign users [8]. Security indicators (i.e., certificate information, behavior. Rather than an ad hoc analysis, we base our study lock icons, cipher selection, etc.) in web browsers offer on the recommendations set forward by the W3C for user one of the few methods to detect such attacks. A user interface security [31] as a proxy for best practices. In par- can view different security indicators and related certifi- ticular, we measure which browsers strictly conform to the cate information presented by the browser to offer signals absolute requirements (“MUST” clauses) and prohibitions or clues about the credibility of a website. Although mobile (“MUST NOT” clauses). We perform our analysis across ten mobile and two tablet browsers, representing greater than 90% of the mobile market share [4], and then compare our results against the five most popular desktop browsers. Our • C. Amrutkar can be reached at E-mail: [email protected]. experiments demonstrate that while the majority of desktop • P. Traynor is with the Southeastern Security for Enterprise and browsers largely meet the W3C recommendations, all mobile Infrastructure Center, University of Florida, Gainesville, FL 32611 USA. E-mail: [email protected]fl.edu. browsers fail to meet many of the guidelines. Additionally, • Paul C. van Oorschot is with the School of Computer Science, Carleton we observe that mobile browsers exhibit tremendous incon- University, Ottawa, ON K1S 5B6, Canada. sistency in the presentation and availability of such indicators E-mail: [email protected]. in contrast to traditional desktop browsers. Manuscript received 25 Sep. 2012; revised 24 Mar. 2013; accepted 12 Apr. Our main contribution is a comprehensive and sys- 2013. Date of publication 15 July 2013; date of current version 30 Mar. 2015. tematic evaluation and comparison of security indicators For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference the Digital Object Identifier below. and security information for mobile and tablet browsers, Digital Object Identifier 10.1109/TMC.2013.90 to our knowledge the first such analysis undertaken. 1536-1233 c 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. 890 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 14, NO. 5, MAY 2015 The main findings of our experiments are that all popular Trust anchor: A trust anchor represents an authoritative mobile and tablet browsers fail to meet, in numerous entity represented by a public key and associated data. instances, the recommendations in the W3C guidelines for The public key is used to verify digital signatures and the user interface of security information, whereas in com- associated data is used to constrain the types of informa- parison desktop browsers largely follow the guidelines. tion for which the trust anchor is authoritative. Relying Our findings of tremendous inconsistency of user interfaces parties (web browsers) use trust anchors to determine if across mobile browsers, and between mobile and desktop digitally signed information objects are valid by verifying browsers, are also expected to be of considerable inter- digital signatures using the trust anchor’s public key and est. Among other contributions, we outline possible attacks by enforcing the constraints expressed in the associated cer- on mobile browsers, such as phishing and undetectable tificate data. Our interpretation is that a trust anchor refers man-in-the-middle, enabled by failure to properly follow to a certificate authority (CA). these guidelines; and we highlight missing security indi- Root: A root is a trust anchor that is any certificate author- cators, e.g., extended validation (EV) SSL indicators [17], ity (CA). [23], [33]. These are intended to convey an augmented assurance process, however we find most mobile browsers Trusted root: A trusted root is a CA whose public key is a fail to implement EV-SSL indicators visible to users, and priori trusted by the browser and may certify other keys. their absence along with that of any distinguishing browser Certificates: Public key certificates are widely used to behavior, precludes EV-SSL certificates from providing rely- provide keying material and convey a website’s identity ing parties any benefits beyond non-EV SSL certificates. information to the user. The W3C defines four types of cer- The remainder of our paper is organized as follows: tificates. We provide our interpretation for the definitions Section 2 provides definitions and explains the mandatory of certificate types in the W3C document where they are elements of the W3C guidelines; Section 3 provides the ambiguous. For additional information regarding the com- primary results of our evaluation; Section 4 discusses sec- mercial practice of issuing and managing SSL certificates, ondary observations; Section 5 presents ways in that a user please refer to the requirements defined by the CA/Browser can be mislead about the identity of a website or the use forum [18]. of encryption and attacks that are enabled by this confu- sion; Section 6 presents an overview of related research; and • Validated certificate: This is a public key certificate that Section 7 offers a discussion of our findings and concluding has been verified by chaining up to a trusted root. remarks. Our interpretation is that a standard SSL certificate signed by a CA trusted by a browser refers to a validated certificate. 2BACKGROUND:W3CRECOMMENDATIONS • Augmented assurance certificate: The certificate chain The World Wide Web Consortium (W3C) has defined user for such a certificate MUST be validated up to a interface guidelines [31] for the presentation and commu- trusted root that is recognized as augmented assur- nication of web security context information to end-users ance qualified by the user agent (user’s browser). of both desktop and mobile browsers. For context in later We interpret an EV-SSL certificate as an augmented sections, we first define the terminology and then provide a assurance certificate that is validated by the browser. brief explanation of the W3C guidelines referenced within • Self-signed certificate and untrusted root certificate: A this paper. self-signed certificate is a certificate that is signed by its own creator and is not a priori trusted by a browser. Our interpretation of an untrusted root cer- 2.1 Definitions tificate is that it refers to a certificate holding the User interface elements: User interface elements in public key of a CA, that is signed by a CA not a browsers are divided in two categories [31]: priori trusted by the user’s browser. • Primary User Interface: the portions of a user interface • Interactively accepted trust anchors or certificates: This that are available to users without being solicited by refers to either a CA or a website’s public key that a user interaction.
Load more

Recommended publications
  • Need for Mobile Speed: a Historical Analysis of Mobile Web Performance
    Need for Mobile Speed: A Historical Analysis of Mobile Web Performance Javad Nejati Meng Luo Nick Nikiforakis Aruna Balasubramanian Stony Brook University Stony Brook University Stony Brook University Stony Brook University [email protected] [email protected] [email protected] [email protected] Abstract—As more and more users rely on their mobile devices The problem, however, is that it is not clear which fac- for the majority of their computing needs, browser vendors are tors contribute to this improvement in performance. Mobile competing for the user’s attention on the mobile platform. As browsers are complex, and several factors affect page perfor- a result, mobile Web page performance has improved over the years. However, it is not clear if these improvements are a result mance. These factors include browser improvements, network of better browsers, optimized Web pages, new platforms, or im- conditions, the device capacity, and the page itself. It is critical proved network conditions. In this work, we conduct a historical to identify the factors that lead to the most improvement in study over 4 years with 8 popular mobile browsers, loading page performance, so that researchers and practitioners can over 250K Web pages, to isolate the effect of different factors determine not only where to focus their attention, but whether on page load improvements. Using a combination of record- and-replay proxies, historical data from the Internet archive, these performance benefits are available to all users who load and specifications about current and past network speeds, we pages on devices and networks with diverse capacities.
    [Show full text]
  • Opera Mini Application for Android
    Opera Mini Application For Android Wat theologized his eternities goggling deathy, but quick-frozen Mohammed never hammer so unshakably. Fain and neverfringillid headline Tyrone sonever lambently. reapplied his proles! Tracie meows his bibulousness underdevelop someplace, but unrimed Ephrayim This application lies in early on this one knows of applications stored securely for example by that? Viber account to provide only be deactivated since then. Opera Mini is a super lightweight browser that loads web pages faster than what every other browser available. Opera Mini Browser Latest News Photos Videos on Opera. The Opera Mini for Android lets you do everything you any to online without wasting your fireplace plan It's stand fast safe mobile web browser that saves you tons of. Analysis of tomorrow with a few other. The mini application for opera android open multiple devices. Just with our site on a view flash drives against sim swap scammers? Thanks for better alternative software included in multitasking is passionate about how do you can browse, including sms charges may not part of mail and features. Other download option for opera mini Hospedajes Mirta. Activating it for you are you want. Opera mini 16 beta android app has a now released and before downloading the read or full review covering all the features here. It only you sign into your web page title is better your computer. The Opera Mini works the tender as tide original Opera for Android This app update features a similar appearance and functionality but thrive now displays Facebook. With google pixel exclusive skin smoothing makeover tool uses of your computer in total, control a light.
    [Show full text]
  • Znetlive SSL Compatible Applications, Platforms & Operating
    ZNetLive SSL Compatible Applications, Platforms & Operating Systems Certificate Authority Root Apple MAC OS 9.0+ (circa 2002), includes 10.5.X and 10.6.X Future proof at 2048 bit, embedded in all Microsoft Windows XP, Vista, 7 and 8 (all devices and browsers and capable of upgrading versions inc 32/64 bit) weak encryption to a strong one is the most reliable Certificate Authority Root-GlobalSign. It is very important to ensure a flawless interaction of your online solutions with Default API Support within Hosting Control customers making connection with your web Panels server, reading emails, trusting your e- Ubersmith documents or running your code. Every WHMCS standard machine that uses trust of Public Key Infrastructure (PKI), e.g. S/MIME, SSL/TLS, Document Signing and Code Signing, has GlobalSign’s Root Certification present in it. Email Clients (S/MIME) ZNetLive’s SSL Certificates authenticated by GlobalSign have 2048 bit strength throughout Mulberry Mail complete Digital Certificate portfolio and Microsoft Outlook 99+ comply with recommendations of National Microsoft Entourage (OS/X) Institute of Standards and Technology (NIST) Qualcomm Eudora 6.2+ according to which all cryptographic keys Mozilla Thunderbird 1.0+ should be 2048 bit strength from 2011 onwards. Mail.app Anything weaker than 2048 bit encryption is Lotus Notes (6+) considered insecure. Because of this, the Netscape Communicator 4.51+ Certification Authorities and Browsers insists The Bat that all the EV SSL Certificates should be 2048 Apple Mail bit encryption.
    [Show full text]
  • Web Browser a C-Class Article from Wikipedia, the Free Encyclopedia
    Web browser A C-class article from Wikipedia, the free encyclopedia A web browser or Internet browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI) and may be a web page, image, video, or other piece of content.[1] Hyperlinks present in resources enable users to easily navigate their browsers to related resources. Although browsers are primarily intended to access the World Wide Web, they can also be used to access information provided by Web servers in private networks or files in file systems. Some browsers can also be used to save information resources to file systems. Contents 1 History 2 Function 3 Features 3.1 User interface 3.2 Privacy and security 3.3 Standards support 4 See also 5 References 6 External links History Main article: History of the web browser The history of the Web browser dates back in to the late 1980s, when a variety of technologies laid the foundation for the first Web browser, WorldWideWeb, by Tim Berners-Lee in 1991. That browser brought together a variety of existing and new software and hardware technologies. Ted Nelson and Douglas Engelbart developed the concept of hypertext long before Berners-Lee and CERN. It became the core of the World Wide Web. Berners-Lee does acknowledge Engelbart's contribution. The introduction of the NCSA Mosaic Web browser in 1993 – one of the first graphical Web browsers – led to an explosion in Web use. Marc Andreessen, the leader of the Mosaic team at NCSA, soon started his own company, named Netscape, and released the Mosaic-influenced Netscape Navigator in 1994, which quickly became the world's most popular browser, accounting for 90% of all Web use at its peak (see usage share of web browsers).
    [Show full text]
  • Web Browsers
    WEB BROWSERS Page 1 INTRODUCTION • A Web browser acts as an interface between the user and Web server • Software application that resides on a computer and is used to locate and display Web pages. • Web user access information from web servers, through a client program called browser. • A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web Page 2 FEATURES • All major web browsers allow the user to open multiple information resources at the same time, either in different browser windows or in different tabs of the same window • A refresh and stop buttons for refreshing and stopping the loading of current documents • Home button that gets you to your home page • Major browsers also include pop-up blockers to prevent unwanted windows from "popping up" without the user's consent Page 3 COMPONENTS OF WEB BROWSER 1. User Interface • this includes the address bar, back/forward button , bookmarking menu etc 1. Rendering Engine • Rendering, that is display of the requested contents on the browser screen. • By default the rendering engine can display HTML and XML documents and images Page 4 HISTROY • The history of the Web browser dates back in to the late 1980s, when a variety of technologies laid the foundation for the first Web browser, WorldWideWeb, by Tim Berners-Lee in 1991. • Microsoft responded with its browser Internet Explorer in 1995 initiating the industry's first browser war • Opera first appeared in 1996; although it have only 2% browser usage share as of April 2010, it has a substantial share of the fast-growing mobile phone Web browser market, being preinstalled on over 40 million phones.
    [Show full text]
  • Taxonomy of Mobile Web Applications from a Taxonomy and Business Analysis for Mobile Web Applications
    Chapter 3: Taxonomy of Mobile Web Applications from A Taxonomy and Business Analysis for Mobile Web Applications By Kevin Hao Liu Ph.D. Computer Science Victoria University Submitted to the System Design and Management Program in Partial Fulfillment of the Requirements for the Degree of Master of Science in Management and Engineering At the Massachusetts Institute of Technology February 2009 © 2009 Kevin H Liu. All rights reserved The author hereby grants to MIT permission to reproduce and to distribute publicly paper and electronic copies of this thesis document in whole or in part in any medium now known or hereafter created. ABSTRACT Mobile web applications refer to web applications on mobile devices, aimed at personalizing, integrating, and discovering mobile contents in user contexts. This thesis presents a comprehensive study of mobile web applications by proposing a new taxonomy for mobile web applications, and conducting a business analysis in the field of mobile web applications. The thesis reviews the current surrounding environment for mobile web applications, namely, web 2.0 and 3.0, wireless communication technology, and Smartphone platform. The recent entry and success of Apple’s iPhone greatly enhanced the public awareness of the Smartphone technology. Google’s release of open-source Android platform and T-Mobile’s deployment of Android-powered “Dream” Smartphone not only intensify the competition among suppliers, but also provide an open-source foundation for mobile web applications. This thesis introduces a new mobile web application taxonomy to systematically study the values and the groupings of the mobile web applications. By introducing features and categories, the taxonomy provides a framework so the related companies and businesses can be comparatively analyzed and summarized.
    [Show full text]
  • PT Offline - User Guide Contents Quick Guide
    PT Offline - User Guide Contents Quick Guide ............................................................................................................................................. 1 Installing PT Offline ............................................................................................................................. 1 Using PT Offline once installed ........................................................................................................... 2 Syncing checklists to PeopleTray online ............................................................................................. 2 Is my device offline? ........................................................................................................................... 2 People Offline Concept ........................................................................................................................... 4 Which browser to use on a mobile device? ............................................................................................ 4 Installing PT Offline ................................................................................................................................. 4 Using PT Offline once installed ............................................................................................................... 7 Syncing checklists to PeopleTray online ................................................................................................. 7 Is my device offline? ..............................................................................................................................
    [Show full text]
  • A Comparative Measurement Study of Web Tracking on Mobile and Desktop Environments
    Proceedings on Privacy Enhancing Technologies ; 2020 (2):24–44 Zhiju Yang and Chuan Yue* A Comparative Measurement Study of Web Tracking on Mobile and Desktop Environments Abstract: Web measurement is a powerful approach to 1 Introduction studying various tracking practices that may compro- mise the privacy of millions of users. Researchers have Web tracking is frequently performed over the Internet built several measurement frameworks and performed by various trackers to collect the information of users’ a few studies to measure web tracking on the desk- browsing activities for various purposes including per- top environment. However, little is known about web sonalized advertisement, targeted attacks, and surveil- tracking on the mobile environment, and no tool is lance [12, 21, 32]. Traditionally, stateful HTTP cook- readily available for performing a comparative measure- ies are used as the dominant technique to track online ment study on mobile and desktop environments. In this users [27]. In recent years, advanced stateful tracking work, we built a framework called WTPatrol that allows techniques such as Flash cookies and advanced stateless us and other researchers to perform web tracking mea- tracking techniques such as browser or device finger- surement on both mobile and desktop environments. printing have also become very popular over the Inter- Using WTPatrol, we performed the first comparative net [1, 3, 24, 30]. User privacy has been keeping com- measurement study of web tracking on 23,310 websites promised by trackers that utilize these techniques. that have both mobile version and desktop version web- Web measurement is a powerful approach to study- pages. We conducted an in-depth comparison of the web ing online tracking practices and techniques.
    [Show full text]
  • Web and Mobile Testing Userguide Table of Contents Web and Mobile Testing
    RANOREX WEB AND MOBILE TESTING USERGUIDE TABLE OF CONTENTS WEB AND MOBILE TESTING ................................................................................................... 3 WEB TESTING .................................................................................................................................. 4 Build a web test ....................................................................................................................... 5 Website structure in Ranorex Studio .................................................................................... 14 Advanced web testing ........................................................................................................... 20 Cross-browser testing ........................................................................................................... 27 ENDPOINTS ................................................................................................................................... 44 Endpoint settings .................................................................................................................. 46 Add an Android/iOS endpoint ............................................................................................... 48 Add a WebDriver endpoint.................................................................................................... 51 Capabilities configurator ....................................................................................................... 58 Ranorex Parallel Runner.......................................................................................................
    [Show full text]
  • Emerging Technologies E-Texts, Mobile Browsing, and Rich Internet Applications
    Language Learning & Technology October 2007, Volume 11, Number 3 http://llt.msu.edu/vol11num3/emerging/ pp. 8-13 EMERGING TECHNOLOGIES E-TEXTS, MOBILE BROWSING, AND RICH INTERNET APPLICATIONS Robert Godwin-Jones Virginia Commonwealth University Online reading is evolving beyond the perusal of static documents with Web pages inviting readers to become commentators, collaborators, and critics. The much-ballyhooed Web 2.0 is essentially a transition from online consumer to consumer/producer/participant. An online document may well include embedded multimedia or contain other forms of invited user interactivity such as questionnaires, annotations, pop-up windows, or animations. Adobe's recently released Adobe Digital Editions illustrates the trend, moving from static PDF's (read with the Adobe Reader) to a Rich Internet Application (RIA) in which PDF's are just one possible resource alongside many others. Apple's new iPhone sets another interesting marker in terms of accessing online documents, as it forgoes entirely any type of local file access and relies on ubiquitous network access for retrieving documents. On the other hand, electronic devices dedicated to the reading of texts have recently been introduced, taking advantage of new technologies for an improved e-book reading experience. In this column we will be looking at these and other recent developments as they pertain to accessing and experiencing electronic texts, and what these developments might mean for language learning. WEB TEXTS The proliferation of authentic texts on the Web is far from enough to guarantee that language learners can profitably delve into texts they have located to help them in their language acquisition.
    [Show full text]
  • How Far Can Client-Only Solutions Go for Mobile Browser Speed?
    How Far Can Client-Only Solutions Go for Mobile Browser Speed? Technical Report TR1215-2011, Rice University and Texas Instruments 1Zhen Wang, 2Felix Xiaozhu Lin, 1,2Lin Zhong, and 3Mansoor Chishtie 1Dept. of ECE and 2Dept of CS, Rice University, Houston, TX 77005 3Texas Instruments, Dallas, TX ABSTRACT The technical goal of this work is to answer this question, with the help of an unprecedented dataset of web browsing data conti- Mobile browser is known to be slow because of the bottleneck in nuously collected from 24 iPhone users over one year, or LiveLab resource loading. Client-only solutions to improve resource load- traces [14]. In achieving our goal, we make four contributions. ing are attractive because they are immediately deployable, scala- Firstly, we study browsing behavior of smartphone users and the ble, and secure. We present the first publicly known treatment of web pages visited by them. We find that subresources needed for client-only solutions to understand how much they can improve rendering a web page can be much more predictable than which mobile browser speed without infrastructure support. Leveraging webpage a user will visit because subresources have much higher an unprecedented set of web usage data collected from 24 iPhone revisit rate and a lot of them are shared by webpages from the users continuously over one year, we examine the three funda- same site. mental, orthogonal approaches a client-only solution can take: caching, prefetching, and speculative loading, which is first pro- Secondly, we quantitatively evaluate two popular client-only ap- posed and studied in this work.
    [Show full text]
  • Libraries and Mobile Technologies
    On the Move with the Mobile Web: Libraries and Mobile Technologies Ellyssa Kroski http://www.ellyssakroski.com Kroski, Ellyssa On the Move with the Mobile Web: Libraries and Mobile Technologies Chapter One: What is the Mobile Web?............................................................................................3 The Mobile Web Defined.............................................................................................................. 3 Who Are the Early Adopters? ....................................................................................................... 3 What Are People Doing with Their Mobile Devices? .................................................................. 4 Benefits of the Mobile Web .......................................................................................................... 6 Mobile Web Challenges ................................................................................................................ 6 Mobile Web Resources & Reports................................................................................................ 7 Notes ............................................................................................................................................. 8 Chapter 2: Mobile Devices ............................................................................................................. 10 Mobile Phone Devices ................................................................................................................ 10 Mobile Phone Manufacturers.......................................................................................................11
    [Show full text]