Not Obvious

Defense Against The Dark Art Of Browser Cache Poisoning

A recent PCWorld article by Ellen Messmer on the topic of browser cache-poisoning (as discussed by Mike Kershaw) led me to pondering a "solution" to the problem

"What is the problem?", you ask? To re-state it as simply as possible, when you jump on a public wireless network, anything you do over that network can be - at a minimum - captured and viewed by miscreants intent on prying into your affairs and, perhaps, absconding with some of your secrets. Kershaw's remarks pointed out that these malcontents can also do far worse and actually inject their own data into, say, your web-browsing activities. While such activity has many negative possibilities, Mike focused on one called "cache poisoning".

Whenever you visit a web site, your browser - unless you have specifically configured it not to - will attempt to cache (store) anything it can to help speed up your browsing experience and reduce bandwidth usage. This cache can be "poisoned" by an attacker injecting his/her own content into, say a javascript or css file and modifying the server responses to indicate that your browser should not bother trying to re-get those resources for a very long time. This will have the effect of your browser pulling the content from your local cache the next time it is asked for and will then activate the malicious bits along with the expected payload (so you think nothing is wrong).

Apart from always running with the cache off, you can clear the cache manually after you disconnect from a public access point. Most people will not know how to do the former (or just not want to do it) and - for the latter - I would ask you when was the last time you cleared your cache...at all? If you have cleared it, the reason was probably to fix a problem or clear up a page rendering issue.

My "solution" entails writing a small Windows service or OS X event watcher that:

• keeps a record of all SSIDs you associate to (for remembering choices/settings)
• watches for disassociate or adapter link down events
• automatically - or via a prompt - removes all elements retrieved in the past day (or from the time you associate to the network) on disassociation or link down

I've already built the framework for both the Windows service and an OS X process and plan to post both the code and binaries as soon as I get them tied up in a nice, neat bow. However, I wanted to point out some of the complexities involved while they are fresh on my mind.

Focusing on OS X, the default browser - Safari - stores cached data in a sqlite database in ~/Library/Caches/com.apple.Safari/Cache.db. The schema is very basic and the SQL to remove all elements after a given TIMESTAMP is trivial. But, I would wager that most intrepid readers are not aware that any app that makes use of WebKit will get their own Cache.db. With a browser-to-app tool such as Fluid, this means each created app will have its own cache database (and be vulnerable to the poisoning).

Extending this a bit further, many users will have multiple browsers installed (Chrome, Firefox, Opera, etc). Each has their own method of dealing with web caches, and there really is no way to be confident which ones should be cleared without tracking application usage as well. This is also true on the Windows platform and made even a bit worse by the fact that you can customize where IE and other browsers store their cached data (on almost any platform).

It turns out this is one case where the Windows .NET API trumps OS X/Cocoa in that I can easily watch for WLAN adapter disassociation events and then act upon them. On OS X, it takes a bit more work arrive at the disassociation conclusion, but - once you have the event - the cleaning process code is very similar.

As the article points out:

The few defenses Kershaw suggested were continuously manually clearing the cache, or using private-browser mode. "Who knows how to clear the browser cache in an iPhone?" he asked.

I thought of also adding an option to prompt the user to switch to "private mode" browsing when the program detects association with an unknown or public access point. If you want to know how to clear the Mobile Safari cache, just follow Apple's directions.

I will (hopefully) have some time to finish up a rough beta version of each service and get it out for review. In the interim, I would love to hear thoughts on the approaches and suggestions for new/alternate ones.

Loading mentions Retweet

File Quarantine Follow Up

Looks like you can duplicate the Chrome behaviour with Safari if you disable the "Open 'safe' files after downloading" setting in Safari's preferences.

Uploaded with plasq's Skitch!

Archive (.zip) files will not be expanded by Safari but will maintain the quarantine attribute. However, when you expand them in the Finder (which uses Archive Utility.app by default), they lose the quarantine attribute. Both Safari and Chrome clearly set the quarantine attribute on the zip file:

com.apple.quarantine: 0000;4b4d39a6;Safari.app;A8F6FF8E-0888-4B64-895E-4F18381EB478|com.apple.Safari
com.apple.quarantine: 0000;4b4d3931;Google\x20Chrome.app;6B67D0BE-0127-48CC-9823-2AEC2677A68F|com.google.Chrome

There is not much value in the attribute setting if it will not carry it through (inherit?) to the expansion operation, but I understand why it does (I deliberately chose to uncompress the archive). Since I am hesitant to modify the Info.plist for the Archive Utility.app as it is tucked neatly away in /System/Library/CoreServices/,an alternate solution is to disable the auto-open in Safari and make a folder action in the Downloads folder to use a modified Stuffit Expander (just tweak the quarantine setting) to open archive files when they appear in that location. I verified that it does what it should (keep the quarantine setting).

Yes, that is actual work to force one more click, but it keeps the expansion behaviour automatic and gives me one more opportunity to verify that I really want to open the file.

Loading mentions Retweet

Odd Google Chrome File Quarantine Behaviour On OS X

UPDATE: Here's what's going on

Most users are no doubt familiar with the file quarantine dialog they receive when downloading files from Safari and trying to open or execute them (only if Apple believes there is the potential for the content of the file to be malicious). While some have vilified this behaviour and others have just worked diligently to disable it completely, I find it a good cross between the overt nag dialogs of Vista and a complete lack of awareness of what is happening on my system (especially if a trusted site had been hacked and was telling Safari to do something without my knowledge). I have even blogged about it before.

Given that I expect this behaviour to be part of my regular experience, I noticed something odd when I was checking out the latest improvements in Vienna and downloaded the app using Google Chrome. Despite Google following the rules and having the proper setting for enabling file quarantine:

Uploaded with plasq's Skitch!

I was able to save and execute Vienna with no quarantine prompt. I attempted the same thing from Safari and did receive the prompt.

Uploaded with plasq's Skitch!

I tried it with a few more apps and saw the same "problem".

Astute readers may be aware that Chrome uses a "helper" app (Google Chrome Helper.app) to manage the process-per-tab functionality:

and may be thinking that the helper app does not have the property list entry set correctly. Unfortunately, this is not the case (it is set just like the main Chrome app).

I will keep digging to see why the expected behaviour is not what is happening in real life, but wonder if anyone else out there is experiencing the same issue.

Loading mentions Retweet