Security Icons == Encryption

Research History

• Eye tracking: users looked at icon when present but ignored icon's absence (Whalen & Inkpen, 2005)
• Behavioral: users logged in with their own account information (Schechter, et al 2007)

Marlinspike 2009

• "Malicous" Tor exit node that removed SSL from connections.
• Users are above-average in technical skills and paranoia.
• 300 logins
  • 117 email accounts.
  • 16 credit card numbers.

  • 7 paypal logins.

• 100% Success Rate.

Present Study: Focus on EV

Details

• Between Subjects Design
  • Participants asked to login to social media (Twitter), email (Outlook), and their bank account.
  • Control: no changes.
  • Manipulation: regular SSL, no EV indicators.
  • Randomly approached 20 strangers and offered $5.
  • Sketchy as hell: in university library, zero officialdom.
• Dependent Variables:
  • Logins
  • Questions about login process:
    • Did you notice anything odd?
    • Did you notice lack of EV cert?
    • Did you avoid logging into an account?

Findings

• No statistical differences between groups.
• 2 out of 3 participants who claimed to notice a lack of EV iconography logged into their account anyway.
• CS major was the only participant who refused to login.
• Replicated existing studies with larger user counts.

∴ Not secure!

Difference

Couple results with theory to:

1. prove that the security model itself is unfixable;
2. redefine into two problems: fraud detection + encryption;
3. push for incremental improvements;
4. jump start research to solve new problems.

It Can't Be Fixed

• HTTPS (lock icon bottom of page)
• Lock + HTTPS ~2004
• Extended Validation ~2008

Research

"[We] found no evidence that security was checked at all ... we were unsuccessful in reproducing normal browsing behavior during our study. ...Despite being asked to treat the [dummy] data as if it was their own, most participants were completely unmotivated to take any precautions." (Whalen & Inkpen, 2005)

WRONG:

• Present study
• Marlinspike 2009
• Schechter, et al 2007

Limits of Security Iconography

Maurer, et al 2011

Limits of Security Iconography

H3: The absence of the (trusted) Persona on non-encrypted websites will reduce their trustworthiness.

 "... we expected ... the plugin group (trust ratings) to drop due to a missing positive feedback. This did not happen. The study duration was much too short for people to get used to the plugin and expecting the green Persona to show up." (Maurer, et al 2011)

Industry

• Response to research from friend, security researcher, & smartest person in the room, "Use 3 certificate authorities...." 
  • Everyone is trying to solve the wrong problem.

• Chrome dev discussing drawbacks of DANE (Adam Langley, 2011)

  • In theory, it should be hard to get a CA certificate for, say, paypa1.com....

  • ... if you want a certificate that identifies a legal entity, rather than a domain name, then you want EV certs.

  • ... if DNSSEC stapled certificates end up being predominantly used for abuse then I'll probably kill them.

  • DANE support was pulled a year later due to lack of use.

∴ Belief in broken model is blocking progress.

Logical Fallacies

• Users check or even understand URLs.
  • bankofamerica.securelogin.com
• Users understand encryption certificates.
• Attackers will use SSL.
• Users become more alert over time.
• Statistically significant improvement!!!! (see below)

Cognitive Spotlight

Psych 101

1. Limited processing power. (Simons & Chabris, 1999)
2. Tasks that are repetitive become habituated, leave the cognitive spotlight. (Raskin, 2000)
3. Human factors researchers: moderate improvement with novel icons are due to novelty!  Stimulus/response ... extinction. (Sokolov, 1960)

When the algorithms are broken: MASS PANIC!

• Four-day lag between disclosure and fix of GOTO Fail.
• Research showing security icons are broken: 1 decade.
• Usability vs Security
• Usability == Security

Fraud Detection & Encryption

Related Yet Distinct Problems

• Current web security model inappropriately ties these two issues together.
• Incremental improvements blocked because proposed solutions do not solve both problems.
• Proposed solutions that solve both problems fail because they were not incremental.

 Ancient History

• Web security model (certificate authorities) was one of a series of 4 AM decisions @ Netscape (Marlinspike, 2011).

• Encryption overhead was non-trivial, especially on the server.

• Early web was publisher centric, 2-way communications were reserved for mail, usenet, etc.

• Websites needing encryption might be in the dozens.
  • Certificate authority would vet identity of website.
  • Users would check on the sites that they visited.
• Certs cost $$$!
• 650 "trusted" organizations.

Convergence

• Marlinspike's attempt at replacing cert auths.
  • Client choose notaries  who track TLS info.
  • n-of-m agreement on correct TLS cert.
  • Triangulation is similar to Perspectives and MonkeySphere.
• Marlinspike abandoned the project after one year.

Information Theory

{sender, receiver, information} == Web == Email == SSH

Fraud detection

• Web sucks at this.
• SSH is okay.
• Email is pretty good.
  • Spear Phishing : (

Encryption

• Web sucks at this.
• SSH is good.
• Email is okay, getting better.
  • Needs transport and E2E encryption.

Email Fraud Detection

• Primarily statistical analysis
  • Sender/Receiver
  • Content
• Catches vast majority of non-targeted attacks.
• Some people will always fall for a sc.
• Spear Phishing sucks!
  • Real authenticity checking would help.
  • High-level targets and locked down systems (iOS, Android) require 0-days.
    • Browser and OS deserve some blame here.

Web Fraud Detection

... What Fraud Detection?

• Less fraud than email due to one-way nature of web.
• Abdicate responsibility to Certificate Authorities.
• We can do better than the PhishTank!

Web Fraud Detection

Correlate user input types and sites!

• We already track usernames, passwords, addresses.
• We can detect credit card numbers, SSN, etc.
• Users log into ~25 sites & appear to use different passwords for financial sites (Florêncio & Herley 2007).
• ML visual matching  (Afroz & Greenstadt, 2011).
  • Detect visually similar sites, prevent sending bank account credentials?
  • Enable more advanced users (Snowden) to turn on warnings for visually similar sites?

Web Fraud Detection

Other cool stuff

• HSTS prevents downgrade attacks after first visit.
  • Can be hard coded into browser.
  • Supported by 2/3 major browsers, coming to IE 12.
  • Nine of top 10 banks don't have it enabled.
  • Should be done in DNS, wouldn't require initial visit.

• FIDO/U2F is great.
  • Public key crypto, not just passwords.
  • Hardware based.

Web Authenticity

Triangulation of TLS information.

• Do we really need 3 operators tracking TLS information?
  • Qualys was the only serious Convergence notary.
  • This is what "Let's Encrypt" should have been.
  • Could have 3 entities signing a single feed....
• Could count DNS information (via DANE) as an information source.
• Browser could (optionally) cache parent private key as an independent source of information (akin to SSH).
  • Attacker would have to trick client on first connect.
  • Only for places like Google, Apple, etc.

Kickstarting Progress

Competition and Money

• No one asked for Convergence, NIH syndrome.
• Competition made browsers much faster.
  • We could create a feature list and collect real-world metrics.
• Opening for IE and Opera.
  • Microsoft has the infrastructure and R&D.
  • Opera could easily enable DANE (implementation exists for Chrome).
  • Qualys is still publishing Convervence notary feed...

A Future for Certificate Auths

Certificate Authorities Have Power

• Printing money using encryption long before Bitcoin.
• Their people are in standards committees.
• ... but they want to provide real value!

Insurance Brokers

• Browsers track number of users and types of information, Cert Auths certify insurance.
• Cost (somewhat) scales with risk.
  • Different rates for sites taking credit cards vs bank account information vs SSNs.
  • Riskier customers pay more.
    • Not very granular, but better than nothing.

What This Gets Us

Fraud Detection & Authenticity

• Stop abdicating to cert auths, start using statistics.
  • As good as email, which catches 99% of non-targeted attacks.
  • It's possible to get better than email and catch targeted attacks.
• Convergence style notary + DANE + caching = 2.5 independent sources of information.
• Certificate Authorities certify fraud insurance.
  • Offers real value.
  • Cost (somewhat) scales with risk.
  • Monetary incentives for better security.

Somewhat incremental, requires research.

Web Encryption

The fix is incremental!

• Embrace Self-Signed Certs
• Embrace DANE
• Reject Unencrypted

Self-Signed Certs Server Vendors

• TLS by default.
• 3 vendors, 90% of the market (Netcraft).
• Minor tweak!

• DANE is not perfect, but it's better!​
  • Publicly auditable security process.
  • Increases cost of attack.
    • Cracking .com TLD vs 1 of 650 CAs....
• Incremental improvement.
  • Existing standard.
  • Information channel available to all browsers.
  • Does not require browser vendors to build more infrastructure.
• Progressive enhancements over self-signed.
  • Require DANE for password input?
    • Requires tracking passwords.
• Opens door for innovation from .bit and .p2p.

DANE: TLS fingerprints in DNS

What This Gets Us

Encryption

• Backports universal encryption to HTTP 1.1!
• Shuts down large swaths of the NSA's opportunistic surveillance.
• Makes censorship (China's Great Firewall) less effective, more expensive.
• Opening for innovation from Namecoin and BitShares.

100% Incremental!!!

What's At Stake

The Open Web

Questions?