Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security Announcements intermission Day 23: Usability and security Stephen McCamant Usability and security University of Minnesota, Computer Science & Engineering Usable security example areas Tor: an overlay network Low-latency TCP applications Tor (originally from “the onion router”) Tor works by proxying TCP streams ❤tt♣s✿✴✴✇✇✇✳t♦r♣r♦❥❡❝t✳♦r❣✴ (And DNS lookups) Focuses on achieving interactive An anonymous network built on top of latency the non-anonymous Internet WWW, but potentially also chat, SSH, etc. Designed to support a wide variety of Anonymity tradeoffs compared to anonymity use cases remailers Tor Onion routing Client perspective Stream from sender to ❉ forwarded Install Tor client running in background via ❆ , ❇ , and ❈ Configure browser to use Tor as proxy One Tor circuit made of four TCP hops Or complete Tor+Proxy+Browser bundle Encrypt packets (512-byte “cells”) as Browse web as normal, but a lot slower ❊ ❆ ✭ ❇❀ ❊ ❇ ✭ ❈❀ ❊ ❈ ✭ ❉❀ P ✮✮✮ Also, sometimes ❣♦♦❣❧❡✳❝♦♠ is in TLS-like hybrid encryption with Swedish “telescoping” path setup
Entry/guard relays Exit relays “Entry node”: first relay on path Forwards traffic to/from non-Tor Entry knows the client’s identity, so destination particularly sensitive Focal point for anti-abuse policies Many attacks possible if one adversary controls entry and exit E.g., no exits will forward for port 25 Choose a small random set of “guards” (email sending) as only entries to use Can see plaintext traffic, so danger of Rotate slowly or if necessary sniffing, MITM, etc. For repeat users, better than random each time Centralized directory Outline Tor basics How to find relays in the first place? Straightforward current approach: Tor experiences and challenges central directory servers Announcements intermission Relay information includes bandwidth, exit polices, public keys, etc. Usability and security Replicated, but potential bottleneck for Usable security example areas scalability and blocking Anonymity loves company Who (arguably) needs Tor? Consumers concerned about web Diverse user pool needed for tracking anonymity to be meaningful Businesses doing research on the Hypothetical Department of Defense competition Anonymity Network Citizens of countries with Internet Tor aims to be helpful to a broad range censorship of (sympathetic sounding) potential Reporters protecting their sources users Law enforcement investigating targets
Tor and the US government Volunteer relays Tor relays are run basically by Onion routing research started with the volunteers US Navy Most are idealistic Academic research still supported by A few have been less-ethical researchers, or GCHQ NSF Never enough, or enough bandwidth Anti-censorship work supported by the State Deptartment P2P-style mandatory participation? Same branch as Voice of America Unworkable/undesirable But also targeted by the NSA Various other kinds of incentives Per Snowden, so far only limited success explored Performance Anti-censorship As a web proxy, Tor is useful for Increased latency from long paths getting around blocking Bandwidth limited by relays Unless Tor itself is blocked, as it often is Currently 1-2 sec for 50KB, 5-10 sec for Bridges are special less-public entry 1MB points Historically worse for many periods Also, protocol obfuscation arms race Flooding (guessed botnet) earlier this fall (currently behind) Hidden services Undesirable users P2P filesharing Tor can be used by servers as well as Discouraged by Tor developers, to little clients effect Identified by cryptographic key, use Terrorists special rendezvous protocol At least the NSA thinks so Servers often present easier attack Illicit e-commerce surface “Silk Road” in the news recently
Intersection attacks Exit sniffing Suppose you use Tor to update a pseudonymous blog, reveal you live in Easy mistake to make: log in to an Minneapolis HTTP web site over Tor Comcast can tell who in the city was A malicious exit node could now steal sending to Tor at the moment you post your password an entry Anonymity set of 1000 ✦ reasonable Another reason to always use HTTPS protection for logins But if you keep posting, adversary can keep narrowing down the set Browser bundle JS attack Outline Tor’s Browser Bundle disables many Tor basics features try to stop tracking But, JavaScript defaults to on Tor experiences and challenges Usability for non-expert users Fingerprinting via NoScript settings Announcements intermission Was incompatible with Firefox Usability and security auto-updating Many Tor users de-anonymized in Usable security example areas August by JS vulnerability patched in June Exercises HW2 trailing slash mistake First versions of the HW2 instructions Exercise set 2 was not actually finished gave the poke command like ❝✉r❧ Monday, but it is now ❤tt♣✿✴✴❈▲■❊◆❚✴✶✴ Leftover papers will be in my office Doesn’t work, gives 404 error Should be: ❝✉r❧ ❤tt♣✿✴✴❈▲■❊◆❚✴✶ Exercise set 4 due Thursday night Note no trailing slash
Outline Users are not ‘ideal components’ Tor basics Frustrates engineers: cannot give users Tor experiences and challenges instructions like a computer Closest approximation: military Announcements intermission Unrealistic expectations are bad for Usability and security security Usable security example areas Most users are benign and sensible Don’t blame users On the other hand, you can’t just treat “User error” can be the end of a users as adversaries discussion Some level of trust is inevitable This is a poor excuse Your institution is not a prison Almost any “user error” could be Also need to take advantage of user avoidable with better systems and common sense and expertise procedures A resource you can’t afford to pass up Users as rational Perspectives from psychology Users become habituated to Economic perspective: users have experiences and processes goals and pursue them Learn “skill” of clicking OK in dialog boxes They’re just not necessarily aligned with Heuristic factors affect perception of security risk Ignoring a security practice can be Level of control, salience of examples rational if the rewards is greater than Social pressures can override security the risk rules “Social engineering” attacks
User attention is a resource Research: ecological validity User behavior with respect to security Users have limited attention to devote is hard to study to security Experimental settings are not like real Exaggeration: treat as fixed situations If you waste attention on unimportant Subjects often: things, it won’t be available when you Have little really at stake need it Expect experimenters will protect them Fable of the boy who cried wolf Do what seems socially acceptable Do what they think the experimenters want Research: deception and ethics Outline Tor basics Have to be very careful about ethics of experiments with human subjects Tor experiences and challenges Including because of institutional review systems Announcements intermission When is it acceptable to deceive subjects? Usability and security Many security problems naturally include Usable security example areas deception Phishing Phishing defenses Educate users to pay attention to ❳ : Attacker sends email appearing to Spelling ✦ copy from real emails come from an institution you trust URL ✦ homograph attacks SSL “lock” icon ✦ fake lock icon, or Links to web site where you type your SSL-hosted attack password, etc. Extended validation (green bar) Spear phishing : individually targeted, certificates can be much more effective Phishing URL blacklists
SSL warnings: prevalence SSL warnings: effectiveness Early warnings fared very poorly in lab Browsers will warn on SSL certificate settings problems Recent browsers have a new In the wild, most are false positives generation of designs: ❢♦♦✳❝♦♠ vs. ✇✇✇✳❢♦♦✳❝♦♠ Recently expired Harder to click through mindlessly Technical problems with validation Persistent storage of exceptions Self-signed certificates (HW2) Recent telemetry study: they work Classic warning-fatigue danger pretty well Spam-advertised purchases Advance fee fraud “Replica” Rolex watches, herbal “Why do Nigerian Scammers say they ❱✦❅❣r❅ , etc. are from Nigeria?” (Herley, WEIS 2012) This business is clearly unscrupulous; if Short answer: false positives I pay, will I get anything at all? Sending spam is cheap Empirical answer: yes, almost always But, luring victims is expensive Scammer wants to minimize victims who Not a scam, a black market respond but ultimately don’t pay Importance of credit-card bank relationships Trusted UI Smartphone app permissions Smartphone OSes have more Tricky to ask users to make trust fine-grained per-application permissions decisions based on UI appearance Access to GPS, microphone Lock icon in browser, etc. Access to address book Attacking code can draw lookalike Make calls indicators Phone also has more tempting targets Lock favicon Users install more apps from small Picture-in-picture attack providers
Recommend
More recommend