It is getting harder for web users to tell the difference between trusted websites and malicious content, according to a developer working on Google Chrome.
In a blog post, Google engineer Eric Lawrence said that it helps to think of browsers having a “line of death” between pixels controlled by the browser and those that are under the control of a website and therefore subject to manipulation by a malicious actor.
“In web browsers, the browser itself usually fully controls the top of the window, while pixels under the top are under control of the site. I’ve recently heard this called the line of death,” he said. “If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re gonna die.”
Lawrence added that this crucial demarcation isn’t explicitly pointed out to the user, and worse than that, it’s not an absolute.
He cited an example where chevrons are used to cross over this line of death so that the browser can show extra information, such as if a connection is secure. Phishers, while not being able to cross this line, can fake something like this that touches the line and most users will fall for a fake chevron and notification which can be clicked on to serve up malicious content.
But a bigger problem, as far as Lawrence is concerned, is that some attacker data is allowed above the line of death, such as an icon and page title, which is in control of the attacker, as it’s the attacker’s domain name in the address bar. Lawrence said this may consist entirely of deceptive content and lies.
Another problem is the web content. “Nothing in this area is to be believed. Unfortunately, on windowed operating systems, this is worse than it sounds, because it creates the possibility of picture-in-picture attacks, where an entire browser window, including its trusted pixels,” he warned.
He said that even defences such as using a custom theme (as this would show up a fake window in default colours) wouldn’t protect users against such attacks. Such attacks have rendered Extended Validation (EV) certificates pointless as they can also fake a green padlock, used for denoting validated sites. Lawrence said that his favourite mitigation technique for this kind of attack was a proposal that browsers should use PetNames for site identity.
“Not only would they make every HTTPS site’s identity look unique to each user, but this could also be used as a means of detecting fraudulent or mis-issued certificates (in a world before we had certificate transparency),” he said.
However, the line of death has all but gone with the advent of HTML5-based browsers as this allows fullscreen windows without any address bar or chrome. He said that the Metro/Immersive/Modern mode of Internet Explorer in Windows 8 suffered from the same problem; because it was designed with a philosophy of “content over chrome”, there were no reliable trustworthy pixels.
“I begged for a persistent trust badge to adorn the bottom-right of the screen (showing a security origin and a lock) but was overruled. One enterprising security tester in Windows made a visually-perfect spoofing site of PayPal, where even the user gestures that displayed the ephemeral browser UI were intercepted and fake indicators were shown. It was terrifying stuff, mitigated only by the hope that no one would use the new mode,” he said.
He added that virtually all mobile operating systems suffer from the same issue. “Due to UI space constraints, there are no trustworthy pixels, allowing any application to spoof another application or the operating system itself,” said Lawrence.