Secure Browser-Based Instant Messaging

Secure Browser-Based Instant Messaging

Brigham Young University BYU ScholarsArchive Theses and Dissertations 2012-09-22 Secure Browser-Based Instant Messaging Christopher Douglas Robison Brigham Young University - Provo Follow this and additional works at: https://scholarsarchive.byu.edu/etd Part of the Computer Sciences Commons BYU ScholarsArchive Citation Robison, Christopher Douglas, "Secure Browser-Based Instant Messaging" (2012). Theses and Dissertations. 3372. https://scholarsarchive.byu.edu/etd/3372 This Thesis is brought to you for free and open access by BYU ScholarsArchive. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of BYU ScholarsArchive. For more information, please contact [email protected], [email protected]. Secure Browser-Based Instant Messaging Christopher D. Robison A thesis submitted to the faculty of Brigham Young University in partial fulfillment of the requirements for the degree of Master of Science Kent E. Seamons, Chair Daniel M. A. Zappala Sean C. Warnick Department of Computer Science Brigham Young University December 2012 Copyright c 2012 Christopher D. Robison All Rights Reserved ABSTRACT Secure Browser-Based Instant Messaging Christopher D. Robison Department of Computer Science, BYU Master of Science Instant messaging is a popular form of communication over the Internet. Statistics show that instant messaging has overtaken email in popularity. Traditionally, instant messaging has consisted of a desktop client communicating with other clients via an instant messaging service provider. However, instant messaging solutions are starting to become available in the web browser{services like Google Talk, Live Messenger and Facebook. Despite the work done by researchers to secure instant messaging networks, little work has been done to secure instant messaging in the browser. We present secure browser-based instant messaging overlays as a means to enable convenient, secure communication in existing browser-based instant messaging interfaces. Additionally, we present a prototype implementation of the secure messaging overlays and the results of two user studies{the first study focusing on user interest in secure chat and the second being a usability study of the prototype. Keywords: secure instant messaging, secure chat, Facebook Chat, Private Facebook Chat ACKNOWLEDGMENTS Marci's love, patience, and help inspired me throughout the entire thesis process. Dr. Seamons's thoughtful advice and reviews greatly contributed to the concepts on which the thesis is built, as well as to this document itself. Internet Security Research lab provided the foundation and initial ideas on which to build. Brigham Young University - made possible by its owners and donors - made the ideal learning environment. Thank you, all. Table of Contents 1 Introduction 1 1.1 The Problem . 2 1.2 Secure Overlays . 3 2 Related Work 5 2.1 Challenges . 5 2.2 Off-the-Record Messaging . 5 2.3 Key Exchange . 6 2.4 Other Systems . 7 3 User Survey 8 3.1 Description . 8 3.2 Chat Systems . 8 3.3 Transmitted Information . 9 3.4 Privacy . 13 4 Design and Architecture 16 4.1 Goals . 16 4.1.1 Usability . 16 4.1.2 Bootstrapping . 17 4.1.3 Confidentiality . 17 4.2 Architecture . 18 4.2.1 Key Management . 18 iv 4.2.2 Client Overlays . 19 4.2.3 Service Provider . 19 4.2.4 Client Proxy . 20 4.3 Threat Model . 20 5 Implementation 22 5.1 Walk-through . 22 5.2 The Client . 27 5.2.1 PFC Website . 27 5.2.2 Bookmarklet . 27 5.2.3 In-Page Services . 29 5.2.4 Window Services . 30 5.2.5 Messages . 31 5.3 The Key Server . 32 6 Usability Study 35 6.1 Task #1 . 35 6.2 Task #2 . 37 6.3 Task #3 . 38 6.4 Task #4 . 40 6.5 Task #5 . 40 6.6 Follow-up . 41 6.7 Summary . 43 7 Threat Analysis 45 7.1 Secure Content Disclosure . 45 7.2 Authentication Vulnerabilities . 46 7.3 Content Swapping . 47 7.4 Successful Message Modifying . 47 v 7.5 Denial of Service . 47 7.6 Malicious Links . 48 8 Conclusion 49 8.1 Contributions . 49 8.2 Summary of Findings . 49 8.3 Future work . 51 8.3.1 Formalize Secure Overlay APIs for Service Providers . 51 8.3.2 Multi-factor Authentication . 51 8.3.3 Usability . 51 References 52 A Initial user survey 55 B Usability study 60 B.1 Demographics . 60 B.2 Instructions . 61 B.3 Task #1 . 61 B.3.1 Preparation . 61 B.3.2 Scenario . 61 B.3.3 Questions . 61 B.4 Task #2 . 62 B.4.1 Preparation . 62 B.4.2 Scenario . 63 B.4.3 Questions . 63 B.5 Task #3 . 63 B.5.1 Preparation . 63 B.5.2 Scenario . 63 vi B.5.3 Questions . 63 B.6 Task #4 . 64 B.6.1 Preparation . 64 B.6.2 Scenario . 64 B.6.3 Questions . 64 B.7 Task #5 . 65 B.7.1 Preparation . 65 B.7.2 Scenario . 65 B.7.3 Questions . 65 B.8 Follow-up Questions . 66 vii Chapter 1 Introduction Instant messaging is a convenient form of communication. Each year the instant messaging user base grows by 200 million. In 2004, a published report showed that the volume of instant messages surpassed email as the preferred communication medium on the Internet. The market has become saturated with various desktop clients to provide easy instant messaging access. Over the last 5 years, instant messaging usage has moved away from desktop clients to web-based clients. In 2005, Google launched its Google Talk platform, which was primarily web-based and integrated with Gmail. In 2010, Microsoft launched a new Windows Live Mail platform, which includes a web-based Live Messenger client. These solutions are convenient as they provide a one-stop shop for email and instant messaging. However, a recent report shows that users are shifting away from the email/instant messaging mash-ups and moving to online social networks as their primary communication platform.1 Social networks provide a handy interface for users to peruse through the happenings of others' lives and actively instant message at the same time. According to one survey, most teenagers now only instant message when logged into a social networking website. Although convenient, social networks (i.e., Facebook) have been criticized for their lax attitudes towards the privacy of user data. 1Email Statistics Report, 2009-2013, http://www.radicati.com/?p=3229 1 1.1 The Problem One of the problems with browser-based instant messaging applications is the lack of true end-to-end privacy between users. Although work has been done to create end-to-end privacy for desktop clients, web-based clients remain at the mercy of those hosting the service. There are four components to web-based instant messaging systems: service providers, client proxies, browser clients and the underlying network. Each presents complex privacy issues. Service providers facilitate the transport of messages from one user to another. A service provider can read every message traversing its system. Google Talk, for example, archives all conversations in Google's Gmail. The text of these archived messages is then mined to provide better AdSense marketing. In addition to reading messages, a service provider can also impersonate a user. For example, suppose Alice works for the messaging services division of Google and Bob is an average user of those messaging services. Alice wants to phish for information from Bob's friends. Because Alice has direct access to the internal workings of the messaging service, she can impersonate Bob and begin conversations with Bob's friends. Bob's friends will not know that it is actually Alice that is talking with them. Web browsers are a mature technology that provide a window into the vast data repositories and applications of the Internet. All major browsers have been exploited through web sites specifically designed to take advantage of them. A browser also has access to the user data on the machine on which it is running as well as the input given by the user, which could be used for malicious purposes. Because web browsers communicate with web servers over the stateless HTTP protocol, a client proxy is needed. A client proxy is a program that runs outside of the context of web server; it creates a persistent connection to the service provider. Client proxies are given users' credentials in order to impersonate them. There are many online, browser-based services (i.e. Meebo, ILoveIM, eBuddy, KoolIM) that aggregate and proxy the use of many 2 different popular instant messaging services. As with the service providers, client proxies can read every instant message it receives. Even if we could trust the.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    76 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us