My OperaProtection against CSRF for end users
Saturday, October 6, 2007 5:06:04 PM
Web security is getting extremely, as everything is moved "into the cloud". Cross Site Request Forgery, CSRF, is a big threat to web security. Way to many sites are vulnerable, and don't assume that your, say webmail, is secure just because it is created by a huge company. Gmail, for example, was recently vulnerable. So, what is this CSRF-thing all about?
Pretty scary, eh? So how should we protect ourselves? The best solution would of course be to make all websites secure. Unfortunately, that is never going to happen. A common suggestion is to use several different browsers: Use one browser for important sites where you are authenticated, and another for browsing the web, reading in forums, etc. That would work, but it is very inconvenient. Another suggestion is to turn off JavaScript. That would guard you against some of the attacks, but way to many websites rely on JavaScript, and many attacks will work without JavaScript, so for most people, it is not really worth it.
A third suggestion, and probably the best one, is to use the NoScript extension for Firefox. This plugin will stop cross-site post requests, and by turning off all or most of the other protection in NoScript, you can get pretty secure protection against CSRF which is so convenient that you could probably even install it on your (grand)mother/father( in law)'s computer without him/her even noticing it.
This is a great solution, but it is not completely secure. Some CSRF attacks allow GET-requests, which NoScript will not protect you against. Also, you will have to wait for an update to be protected against special XSS or CSRF-bugs (like the jar bug) in the browsers. How about an even more secure (but slightly less convenient) solution?
Secure tabs
Most browsers support tabs. Let's say the context menu on the tab has an option that says "Secure this tab" or "Protect this tab" or something like that. When that option is selected, the tab is moved into its own sandbox. All cookies set by that site are removed from the global scope and moved into the sandbox. Any tcp connection used in that tab is not used anywhere else. The tab should also get a different color, to give users an overview over which tabs they have made secure. If this is implemented, the only thing you have to do to protect yourself is to right click on the tab and select "Secure this tab" before signing in somewhere.
A combination of this and disallowing cross-site post requests will make a very good protection against these kinds of attacks, and it is convenient enough that you can tell your (grand)mother what to do before signing in on her online bank, webmail, etc. It also has some nice side-effects::
So what do you say, browser vendors? How about implementing something like this and allow your users to be really secure on the web?
(Of course, there are probably people who has thought of this before me, it is not a very complex idea, but I couldn't find anyone else writing about it when I searched for it.)
Sorry for any spelling or grammar errors. English is my second language.
Originally posted by http://en.wikipedia.org/wiki/Cross-site_request_forgery:
(read more at http://en.wikipedia.org/wiki/Cross-site_request_forgery)The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated. For example, one user, Bob, might be browsing a chat forum where another user, Alice, has posted a message with an image that links to Bob's bank. Suppose that, as the URL for the image tag, Alice has crafted a URL that submits a withdrawal form on Bob's bank's website. If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then Bob's browser's attempt to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.
Pretty scary, eh? So how should we protect ourselves? The best solution would of course be to make all websites secure. Unfortunately, that is never going to happen. A common suggestion is to use several different browsers: Use one browser for important sites where you are authenticated, and another for browsing the web, reading in forums, etc. That would work, but it is very inconvenient. Another suggestion is to turn off JavaScript. That would guard you against some of the attacks, but way to many websites rely on JavaScript, and many attacks will work without JavaScript, so for most people, it is not really worth it.
A third suggestion, and probably the best one, is to use the NoScript extension for Firefox. This plugin will stop cross-site post requests, and by turning off all or most of the other protection in NoScript, you can get pretty secure protection against CSRF which is so convenient that you could probably even install it on your (grand)mother/father( in law)'s computer without him/her even noticing it.
This is a great solution, but it is not completely secure. Some CSRF attacks allow GET-requests, which NoScript will not protect you against. Also, you will have to wait for an update to be protected against special XSS or CSRF-bugs (like the jar bug) in the browsers. How about an even more secure (but slightly less convenient) solution?
Secure tabs
Most browsers support tabs. Let's say the context menu on the tab has an option that says "Secure this tab" or "Protect this tab" or something like that. When that option is selected, the tab is moved into its own sandbox. All cookies set by that site are removed from the global scope and moved into the sandbox. Any tcp connection used in that tab is not used anywhere else. The tab should also get a different color, to give users an overview over which tabs they have made secure. If this is implemented, the only thing you have to do to protect yourself is to right click on the tab and select "Secure this tab" before signing in somewhere.
A combination of this and disallowing cross-site post requests will make a very good protection against these kinds of attacks, and it is convenient enough that you can tell your (grand)mother what to do before signing in on her online bank, webmail, etc. It also has some nice side-effects::
- It protects against several other web vulnerabilities. One of them being (most types of) XSS targeted against the sites in the tabs you have protected.
- It lets you sign in to several accounts on the same site at the same time in the same browser.
So what do you say, browser vendors? How about implementing something like this and allow your users to be really secure on the web?
(Of course, there are probably people who has thought of this before me, it is not a very complex idea, but I couldn't find anyone else writing about it when I searched for it.)
Sorry for any spelling or grammar errors. English is my second language.
Anonymous # Tuesday, December 25, 2007 1:56:31 AM
Håkonhaakeyar # Tuesday, December 25, 2007 6:22:47 PM
Cross-site post requests should be blocked all over though, or there should at least be an option to do so, if that is what you meant. Feel free to tell me how I can make it clearer if it was too unclear in the post.
Thanks for your feedback.
Anonymous # Monday, January 4, 2010 3:50:10 AM
Anonymous # Saturday, August 14, 2010 9:02:49 PM
Anonymous # Thursday, August 18, 2011 8:01:31 PM