Safe Web Browsing Mode (SBM)

GOALS

Safe Web Browsing supports the following goals:

2.2 Relevance of security information

SBM recommends that rather than provide new security information, when the user wants to use the web in a more secure mode, the user should be required to take an active step to place the browser in SBM Mode. Education and supporting security information, should make it very clear that when in SBM, only specified sites will be allowed to be accessed. Details concerning the site being accessed, the security settings selected by SBM, and the certificates being used, should be easily accessible for the interested user, but not required.

2.3 Consistent presentation of security information

The active action (keystroke and mouse sequences) used, the look and feel of SBM, and the means for accessing supporting information, should be common across all browsers.

2.4 User awareness of security information

The user will be aware of being in SBM because he/she had to invoke it, because of its distinctive look and feel, and because it can be verified by trying to access a website that should not be allowed to be accessed while in SBM

2.5 Reliable presentation of security information

SBM is not dependent upon the user reacting to any presentation techniques, so there is nothing to deceptively imitate. If the user gets a message that SBM is not working, there is no recourse, no alternative, other than falling back into normal browsing mode.

2.6 Reduce the number of scenarios in which users need to make trust decisions.

The trust decisions are made by software in SBM, the user is not required to do anything beyond invoking SBM

OVERVIEW

• Safe Web Browsing Mode (SBM) refers to a state that a browser can be placed in, where when in that mode, the user has both a real and perceived sense of security with respect to his/her knowledge that they can only be communicating and exchanging information with trusted websites and not a spoof. This is because when in SBM, the browser will only permit user-selected, highly trusted websites to be accessed. A highly trusted website is a website that can be certified as such. These are websites that have gone to some lengths to allow being reliably identified as authentic and trusted (have met the necessary technical requirements, as well as contractual requirements that include a rigorous certification and compliance process).

• One way to achieve this would be to require the website to belong to a community (e.g. FI, healthcare, government) that is willing to work with the EV CAB Forum, and the EV certificate issuers, to put in place a process that would allow a website to apply for an EV Cert with a Community logo type. To obtain this logo, the community authority must strongly certify those of its members who have agreed to meet special technical, contractual, audit and compliance requirements, and to put its website through a rigorous certification process.

• Upon certification by this community, the website would be issued an EV certificate, with a community-type logo added to their EV certificate. The website should agree to digitally sign and bind its url and IP addresses, to allow their web page’s authenticity to be verified, and to allow themselves to be audited, to accept certain liabilities required by that community.

• The user should also be able to include in Safe Mode, any website that has met the technical requirements to be reliably authenticated and that the user knows sufficiently well, that they do not require a certifying community type logo. An example of this would be a user, who is an employee of Corporation X, who wishes to be able to access his company’s website under SBM.

• This mode, SBM, is intended for the user who wishes to be sure that they are at the intended known, trusted website before they exchange sensitive information. It addresses the needs of several of the use cases brought up in the WSC working group (see Use cases below).

• The Secure Browsing Mode needs to be extremely difficult, if not impossible to fool into passing through an “untrusted site”. This is assured by the technical requirements imposed on the website.

• The user must take an active step to go into SBM. Initially, this will involve clicking a special control sequence. This mode of interaction is requires the user to know of and take explicit actions up front, and to take an extras step if the user wishes to browse boutside the set of homogeneously certified sites. In return, the user can assume all web sites they go to have a consistent level of trustworthiness, using only the look and feel indicator of SBM. Both “good indicators,” e.g. green bars, locks, that currently are used to indicate the user is at a good website and/or is exchanging information with the website securely); and “bad indicators” (e.g. red alerts that indicate the website is a spoofed or untrustworthy website) are often ignored by many users. Furthermore, the absence of these “indicators” (good or bad) is often over looked by many users. In addition, even poor spoofs of these indicators (indicators painted outside the chrome, or painted over the chrome) can fool enough users to make them not particularly useful. If users are somehow automatically placed into SBM mode without any action on their part, we are back to the same problem we are trying to avoid, which is getting users to recognize something that is “safe” solely on the basis of some kind of visual or other cue.

• SBM is ideal for users that want to be careful before they conduct financial and other high risk transactions and information exchanges with a website, and desire higher assurance that they are communicating with the intended site, e.g. their bank. When in SBM mode the browser will only permit user-selected highly trusted websites to be accessed. This prevents the user from being able to receive and/or log on to the wrong site, an untrustworthy site.

• SBM creates a separation between the space where users conduct sensitive transactions from the space, and where they casually browse the internet. When in SBM mode, the browser will have a distinct look, but the success of SBM is not dependent upon the user actually paying attention to this look.

• When in SBM, the browser will be automatically placed in a default highly secure mode, where the browser’s security settings are pre-selected (this is discussed in the related recommendation, Browser lock-down). Many features deemed dangerous will be turned off (e.g. “FSTC BMA Browser Recommendations” in this wiki)

• The user can test and verify whether they are in SBM by trying to access a website that is not one of the user’s selected highly trusted” sites.

• The user can accept all highly trusted sites, or can start out with an empty personal list and can add additional sites to the list as they are accessed and used, much as one now adds to their web favorite list, provided the site is approved to be accessed while in SBM. The user can also take away sites from being accessed in SBM. Alternatively, the user can choose to enable all the sites approved to be accessed while in SBM.

• The goal of SBM mode not to eliminate phishing attacks, but to protect those who are willing to take proactive steps to avoid them. SBM mode will not be required, but will be voluntary.

• To make SBM useful, these things must be true:

• Although the creation of a SBM mode is vitally important to the Financial Services community where real dollars losses to our customers is at stake, the notion of safe browsing is inherent to many other communities; e.g. e-Bay, Amazon, your health care provider. So SBM should be developed so it can scale up to include any interested community that is willing to enforce compliance with the stringent technical and contractual requirements.

• As with privacy, there may ultimately be different degrees of trust (multiple SBM levels, associated with different communities of varying trust, that is related to the strength of the technical and contractual certification process and the relevant rules and policies governing the community with respect to security measures and behavior subscribed to by a participating members). However, to start with, we might keep things simple; either a site is trusted and included in SBM, or not.

• The ANEC report calls for a standardization of the means for identifying and filtering content, and this standardization might be extended to include Safe Web Browsing in addition to Privacy and other filtering, such as parental filters (e.g. filtering out pornographic sites).

• SBM should be designed to be extensible. The initial operational capability will be built by adapting currently available technologies (e.g. Card Space, EV Certificates with logo type extensions and secure letterhead) as described below. However, SBM should be able to be strengthened over time, by including new, better technology as they get defined and introduced (e.g. a Community CA Bridge similar to the Federal Bridge; DNSSEC; a stronger, more tightly controlled Top Level Domain).

• The current approach violates the following usability principles:

• This is because the security is not built into the users intended task, and the security indicators are many, often not related to the concerns of the task at hand, are often complex to understand or relate to the task at hand, and often times are not consistent.

• SBM, in contrast, is integrated into the intended task at hand. The task at hand is to allow the user to access a website in a way that ensures that they are at the intended known, trusted website before they exchange sensitive information. SBM allows the user to have this assurance, by adding an additional keystroke before clicking on a link or typing in a url. The act is minimal, and should be consistent across browsers. You want to browse in safe mode, you invoke safe mode, in a similar manner to how you invoke an operating system’s safe mode; and the safe mode directly relates to what the user is doing – trying to access a desired trusted web site and to block any spoofs. It is a relatively easy step to take, and it could become a habit. Enter a special key sequence before one tries to access a highly trusted site.

APPLICABILITY (*)

Since SBM should be designed with a specific look and feel, and requires a user to invoke SBM using a pre-set keystroke sequence, an equivalent should be developed for those with a disability that prevents them from either discerning the look and feel, or from invoking the keystroke sequence.

REQUIREMENT (*) | GOOD PRACTICE (*)

An implementation MUST be able to invoke SBM when the user enters the pre-set key stroke sequence.

The implementation, when in SBM, MUST check that a website had digitally signed its url and IP addresses, with a key that is certified by an EV Certificate, with a participating community type logo.

The implementation MUST be able to show the certificate, site name and logo type if requested by the user

The implementation MUST block from access, when in SBM, any website that does not pass the website checks.

The implementation SHOULD provide a distinct look when in Safe Mode, that is consistent across implementations

The implementation SHOULD have supporting instructions and information on SBM and how it works

The implementation SHOULD be capable of being extended to support other technical checks and requirements as they become available, such as DNSSEC, filtering on Tld, supporting Bridge Authorities in addition to EV certificates with logo types.

The implementation MUST be capable of allowing the user, to take an action to get out of SBM. This could be as simple as closing down the browser.

TECHNIQUES (*)

See the Overview

DEPENDENCIES

This solution would be dependent upon the following:

7.1 Provided by HTTP

7.2 Provided by web content

7.3 Provided by SSL

7.4 Provided by IP or DNS

7.5 Provided by user agent

7.6 Provided by user

7.7 Provided by third-party

EXAMPLES (informational)

A conforming implementation would be an implementation that invokes SBM when the user enters the pre-set key stroke sequence, and when in SBM checks that the requested website had digitally signed its url and IP addresses, with a key that is certified by an EV Certificate with a participating community type logo, and blocks access to the website if it fails that check, and can show the certificate, site name and logo type if requested by the user

A non-conforming implementation would be an implementation that does not block access to a requested website that fails the check.

USE-CASES

• Use Case Scenario 1 - Once a week, Alice pays her bills. She opens her web browser, invokes safe mode, follows the habitual bookmark to her bank's site, logs in by entering her credentials, and follows the routine course through the online banking system.

• Use Case Scenario 2 - Once a week, Alice pays her bills. She invokes safe mode, opens her web browser, follows the habitual bookmark to her bank's site, and is directed to an unfamiliar site at a new domain. The unfamiliar site is blocked because it cannot pass the Safe Mode checks. Alice never sees the site announcing that her bank has recently acquired another one and changed names a bit, and asking her to enter her usual credentials.

• Use Case Scenario 3 - Once a week, Alice pays her bills. She invokes safe mode, opens her web browser, follows the habitual bookmark to her bank's site. Both the phony message that informs her that, as a countermeasure to recent attacks against online banking customers, she needs to install a piece of proprietary software on her computer, and the download of the software is blocked.

• Use Case Scenario 4 - Once a week, Alice pays her bills. She invokes safe mode and opens her web browser, follows the habitual bookmark to her bank's site. A phony download process is blocked.

• Use Case Scenario 7 - Frank regularly reads a frequent flyer forum while sipping his first cup of coffee in the morning. He clicks on a link and walks off to the coffee-maker for a refill. Returning, he notes that his computer screen now includes pop-up advertising for a new cheque-management program which is purportedly offered by his bank. A free demonstration version is available for download. Frank, invokes safe mode to access the free demonstration. The advertising is served from an advertising agency's web site, not from the bank's and is therefore blocked. Attack resistance and limitations

• The Safe Browser Mode would eliminate all threats except for two cases:

USABILITY EFFECT

Expected User behavior

• Over time and through education, it is hoped that more and more users will elect to invoke SBM mode before they bank on-line, or do other high risk transactions where personal information is exchanged and high risk transactions performed. In fact, banks and other “trusted sites” could incent users to only access them on-line via SBM Mode (e.g. provide loyalty points, safety guarantees, fee discounts or higher interest rates).

• It should be pointed out that there are already a number of circumstances where browsers, or browser add-ons, already block web sites from being accessed. Two examples are in the case of privacy (where privacy is set to high and the website either does not have a published privacy statement in P3P, or has one that is in conflict with the user's privacy preferences); and the example of a parental filter that blocks sites that are determined to be offensive, such as blocking pornographic sites. The Safe Web Browsing concept would include blocking sites that are not identifiable as well-known, often visited, trusted sites.

DISRUPTION

Issues/Concerns/Questions

• How is safe-mode substantially different from the "security zone" model employed (and unused) in current browser? Much of what we want is in the security zone model, but we want some additional things: e.g. be able to strongly link a website's IP address(s) to the desired website (e.g. with EV typed certs or DNSSEC or FI- (or other community) certified and signed websites hashed with the valid IP addresses). It is because there are these important bits and pieces already operational that we have hope we could see an implemented safe mode in relatively short order. Furthermore, the current security zone interface, such as in IE7, provide a long list of very technical terms that a user has to select, and it is somewhat cumbersome to change and reset. We would like something much simpler to invoke by the user, which by default eliminates when in safe mode all but the sites that both qualify and are selected by the user, as well as selecting a default security zone setting (most of the technical settings for safe mode are determined for the user, but if the user wishes he/she can see the settings).

• Do you believe there are times when users don't want to be safe? Yes, when users want to go to social sites, browse the web, look for interesting content, converse with interesting people, they don't care about safety. On the other hand, there are some sites where the users wants to exchange very sensitive information and wants to be sure that they are on the correct site. In fact, if a user could easily switch back and forth, they would even be safer when they are not in safe mode because they would know they are NOT in safe mode and hopefully be much less trusting and willing to provide sensitive information when not in Safe mode. As a users travels around in the Wild Unsafe Web, they may find and establish a relationship with a web site that they now want to know interact with more safely. If that site is appropriately certified and conforms to the needed technical security, the user can find that site is available for Safe Mode and add it to its Safe Mode list.

• Creation of a separation between SBM and normal web browsing, comes at the price of a seamless transition from regular mode to SBM. This would eliminate the option of an FI sending legitimate clickable links to the user by email (although we could keep the links if they are rendered unoperable unless the user goes through a clicking sequence before clicking on the link). Most FI's claim not to do this anyway, so this shouldn't be too big an issue. Forcing the user to launch another application keeps them conscious of what they're doing (the task at hand is a sensitive transaction and they must be knowingly go into the separate mode to complete the task).

• There is concern that the business people who manage the consumer Internet channel at major banks will reject these conditions and their bedrock principle of “support all the popular web browsers” which is derived from a need to make online banking convenient and accessible to a very broad population of consumers. Any bank that unilaterally stops supporting today’s IE and Firefox browsers is simply giving away business to its competitors. That is why it is so critical that SBM mode be supported by the browser community and that going into SBM should be voluntary with education and incentives gradually causing a shift in user behavior. But attitudes may be changing. Consider the results of the following recent Javelin study [reference 4].

• The distinction between safe browsing mode and regular mode must be absolutely clear to the user. It's been suggested that safe-browsing could take place in another tab or browser window. This solution would not draw a hard enough line between SBM and regular mode. A number of attacks we see now show that users can easily be fooled by windows that have the same look and feel. It's also important to keep in mind attacks like picture-in-picture, which would likely still be successful if SBM was simply another browser window [1,2, 4]. Also, SBM should be careful to present the user with the minimal interface necessary to allow them to conduct their transactions (i.e. a space free of advertisements and other noise on the page). Stripping the safe-browsing mode off all unnecessary information would help reduce the number of things an attacker can exploit, but the introduction of a stripped online banking interface would likely imply an education period. The users would have to be convinced that they are in fact on the correct site and communicating with their bank even though most of the graphics and links they're used to seeing are absent

Background (informational)

REFERENCES

[1] Dhamija, R., Tygar, J., and Hearst, M. "Why Phishing Works" In Proceedings CHI. (2006)

[2] Jackson, C., Simon, D., Tan, D., and Barth, A. "An Evaluation of Extended Validation and Picture-in-Picture Attacks" In Proceedings Usable Security. (2007)

[3] Shneiderman, B. "Designing the User Interface". [4] Wu, M., Miller, R., and Little, G. "Web Wallet: Preventing Phishing Attacks by Revealing User Intentions" Symposium on Usable Privacy and Security. (2006) RecommendationDisplayProposals/RecoTempl (last edited 2007-06-06 15:58:01 by ThomasRoessler)

[4] Security Before Convenience Say Online Bankers, IDG News Service, by Tash Shifrin, April 5, 2007 [report based on Javelin Strategy and Research Survey by Stephen Knighten - Customers want online ID protection more than reimbursement from banks The majority of Internet users are more concerned with getting identity safeguards for online banking than being reimbursed for losses, according to a US survey conducted by Javelin Strategy & Research and commissioned by Authentify. Over half (58%) of the 2781 respondents surveyed said incurring a financial loss was not their primary concern about Internet banking. Instead loss of personal information and the possibility that fraudsters would commit financial fraud in their name were the two main worries. The research also found that the vast majority of respondents - 90% - are willing to sacrifice convenience for stronger security protection for online banking. Over three quarter (78%) of respondents wanted IDs to be verified using real-time authentication mechanisms in the event of suspicious account activity. Of these, more than 30% selected interactive phone calls or SMS text alerts as their preferred means to monitor transactions. Around eight per cent favoured traditional methods that delay a transaction until further authentication can be obtained by bank staff or written notification. Commenting on the research, Stephen Knighten, a statistical analyst at Javelin, says: "These findings demonstrate that the financial services industry must go beyond zero liability protection and offer more comprehensive identity safeguards to gain the trust of consumers." ]