Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers (2402.06159v1)

Published 9 Feb 2024 in cs.CR

Abstract: Password-based authentication faces various security and usability issues. Password managers help alleviate some of these issues by enabling users to manage their passwords effectively. However, malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. In this paper, we explore what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior. To this end, we identify a threat model for password exfiltration and then use this threat model to explore the design space for secure password entry implemented using a password manager. We identify five potential designs that address this issue, each with varying security and deployability tradeoffs. Our analysis shows the design that best balances security and usability is for the manager to autofill a fake password and then rely on the browser to replace the fake password with the actual password immediately before the web request is handed over to the operating system to be transmitted over the network. This removes the ability for malicious client-side scripts or browser extensions to access and exfiltrate the real password. We implement our design in the Firefox browser and conduct experiments, which show that it successfully thwarts malicious scripts and extensions on 97\% of the Alexa top 1000 websites, while also maintaining the capability to revert to default behavior on the remaining websites, avoiding functionality regressions. Most importantly, this design is transparent to users, requiring no change to user behavior.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (57)
  1. 2022. Cross site scripting (XSS). https://owasp.org/www-community/attacks/xss/ Accessed: 2023-05-03.
  2. 2022. Remediating vulnerabilities in NPM Packages - WhiteSource. https://www.mend.io/resources/research-reports/mend-research-report-remediating-vulnerabilities-in-npm-packages/
  3. George A. Akerlof and Robert J. Shiller. 2015. Phishing for phools. In Phishing for Phools. Princeton University Press.
  4. Awake Security. 2022. Discovery of a Massive, Criminal Surveillance Campaign. https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/.
  5. Talal Haj Bakry and Tommy Mysk. 2020. Precise Location Information Leaking Through System Pasteboard. https://www.mysk.blog/2020/02/24/precise-location-information-leaking-through-system-pasteboard/. Accessed: 2020-06-13.
  6. The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In Proceedings of the 33rd IEEE Symposium on Security and Privacy. IEEE. https://doi.org/10.1109/sp.2012.44
  7. Cato Networks. 2022. Threat Intelligence Feeds and Endpoint Protection Systems Fail to Detect 24 Malicious Chrome Extensions. https://www.catonetworks.com/blog/threat-intelligence-feeds-and-endpoint-protection-systems-fail-to-detect-24-malicious-chrome-extensions/.
  8. Google Chrome. [n. d.]. Chrome.webRequest. https://developer.chrome.com/docs/extensions/reference/webRequest/#event-onBeforeRequest
  9. Chromium. 2011. 91191 - chromium - WebRequest: Access to POST data in onBeforeRequest. https://bugs.chromium.org/p/chromium/issues/detail?id=91191 Accessed: 2023-05-03.
  10. Chromium. 2023a. The activeTab permission. https://developer.chrome.com/docs/extensions/mv3/manifest/activeTab/ Accessed: 2023-05-03.
  11. Chromium. 2023b. chrome.declarativeNetRequest. https://developer.chrome.com/docs/extensions/reference/declarativeNetRequest/ Accessed: 2023-05-03.
  12. Chromium. 2023c. chrome.scripting. https://developer.chrome.com/docs/extensions/reference/scripting/ Accessed: 2023-05-03.
  13. Chromium. 2023d. chrome.webRequest. https://developer.chrome.com/docs/extensions/reference/webRequest/ Accessed: 2023-05-03.
  14. Chromium. 2023e. Content scripts. https://developer.chrome.com/docs/extensions/mv3/content_scripts/ Accessed: 2023-05-03.
  15. Chromium. 2023f. Manifest file format. https://developer.chrome.com/docs/extensions/mv3/manifest/ Accessed: 2023-05-03.
  16. CVEdetails. 2024. Security vulnerabilities, CVES, XSS, Cross Site Scripting published in January 2024. https://www.cvedetails.com/vulnerability-list/year-2024/month-1/January.html?page=1&opxss=1&order=3&trc=318&sha=6015799bd40414f5188fe66040f69ab3dd054487
  17. When Sally Met Trackers: Web Tracking from the Users’ Perspective. In 31st USENIX Security Symposium (USENIX Security 22). 2189–2206.
  18. Password strength: An empirical analysis. In Proceedings of the 29th IEEE Conference on Computer Communications. IEEE. https://doi.org/10.1109/infcom.2010.5461951
  19. Rachna Dhamija and J. Doug Tygar. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 symposium on Usable privacy and security. 77–88.
  20. On the (in) security of mobile two-factor authentication. In Financial Cryptography and Data Security: 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers 18. Springer, 365–383.
  21. Towards measuring supply chain attacks on package managers for interpreted languages. arXiv preprint arXiv:2002.01139 (2020).
  22. An investigation into users’ considerations towards using password managers. Human-centric computing and information sciences 7, 1 (2017), 1–20.
  23. Hey, you, get off of my clipboard. In International Conference on Financial Cryptography and Data Security. Springer, 144–161.
  24. Dinei Florencio and Cormac Herley. 2007. A large-scale study of web password habits. In Proceedings of the 16th International Conference on World Wide Web. ACM Press. https://doi.org/10.1145/1242572.1242661
  25. Feng Hao and Paul C. van Oorschot. 2022. SoK: Password-Authenticated Key Exchange–Theory, Practice, Standardization and Real-World Lessons. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security. 697–711.
  26. Cormac Herley. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop. 133–144.
  27. Kexin Hu and Zhenfeng Zhang. 2016. Security analysis of an attractive online authentication standard: FIDO UAF protocol. China Communications 13, 12 (2016), 189–198.
  28. OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In Advances in Cryptology–EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29-May 3, 2018 Proceedings, Part III 37. Springer, 456–486.
  29. Hulk: Eliciting malicious behavior in browser extensions. In 23rd USENIX Security Symposium (USENIX Security 14). 641–654.
  30. Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication.. In NDSS.
  31. An empirical study of a decentralized identity wallet: Usability, security, and perspectives on user control. In Proceedings of the 18th Symposium on Usable Privacy and Security. USENIX, Boston, MA. https://www.usenix.org/conference/soups2022/presentation/mayer
  32. Robert Lemos. 2021. Dependency problems increase for open source components. https://www.darkreading.com/application-security/dependency-problems-increase-for-open-source-components/d/d-id/1340665
  33. The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers. In USENIX Security Symposium. 465–479.
  34. Better managed than memorized? Studying the impact of managers on password strength and reuse. In Proceedings of the 28th USENIX Security Symposium. USENIX.
  35. Mozilla. 2017. 1376155 - webrequest: Support modifying request bodies (e.g. via requestbody blockingresponse). https://bugzilla.mozilla.org/show_bug.cgi?id=1376155 Accessed: 2023-05-03.
  36. Mozilla. 2023. Using shadow DOM. https://developer.mozilla.org/en-US/docs/Web/API/Web_components/Using_shadow_DOM Accessed: 2023-05-04.
  37. Mozilla. 2024. https://searchfox.org/mozilla-central/source/netwerk/protocol/http/HttpBaseChannel.cpp
  38. The emperor’s new autofill framework: a security analysis of autofill on iOS and Android. In Proceedings of the 37th Annual Computer Security Applications Conference. ACM. https://doi.org/10.1145/3485832.3485884
  39. Sean Oesch and Scott Ruoti. 2020. That was then, this is now: a security evaluation of password generation, storage, and autofill in browser-based password managers. In Proceedings of the 30th USENIX Security Symposium. USENIX.
  40. “It basically started using me:” An observational study of password manager usage. In Proceedings of the 40th ACM CHI Conference on Human Factors in Computing Systems. ACM. https://doi.org/10.1145/3491102.3517534
  41. Backstabber’s knife collection: A review of open source software supply chain attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24–26, 2020, Proceedings 17. Springer, 23–43.
  42. TLS proxies: friend or foe?. In Proceedings of the 17th ACM Internet Measurement Conference. ACM. https://doi.org/10.1145/2987443.2987488
  43. OSITCOM. 2021. Google Removes 500 plus Malicious Chrome Extensions. https://www.ositcom.com/61.
  44. You’ve changed: Detecting malicious browser extensions through their update deltas. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 477–491.
  45. Let’s go in for a closer look. In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security. ACM. https://doi.org/10.1145/3133956.3133973
  46. Why people don’t use password managers effectively. In Proceedings of the 15th Symposium On Usable Privacy and Security. USENIX.
  47. The Token Binding Protocol Version 1.0. RFC 8471. RFC Editor.
  48. MessageGuard: A Browser-based Platform for Usable, Content-Based Encryption Research. arXiv:1510.08943 [cs.CR]
  49. Help Net Security. 2021. Why XSS is still an XXL issue in 2021. https://www.helpnetsecurity.com/2021/06/15/xss-attacks/
  50. Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. In 31st USENIX Security Symposium (USENIX Security 22). 1813–1830.
  51. Password Managers: Attacks and Defenses.. In USENIX Security Symposium. 449–464.
  52. Systematization of password manager use cases and design paradigms. In Proceedings of the 37th Annual Computer Security Applications Conference. ACM. https://doi.org/10.1145/3485832.3485889
  53. Ben Stock and Martin Johns. 2014. Protecting users against XSS-based password manager abuse. In Proceedings of the 9th ACM symposium on Information, computer and communications security. ACM, 183–194.
  54. Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3811–3828.
  55. ‘I added ‘!’ at the end to make it secure’: Observing Password Creation in the Lab. In Proceedings of the Eleventh Symposium On Usable Privacy and Security.
  56. WHATWG. 2023. Web IDL. https://webidl.spec.whatwg.org/
  57. Thomas D. Wu et al. 1998. The Secure Remote Password Protocol. In NDSS, Vol. 98. Citeseer, 97–111.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now