|CSE Home||Security and Privacy||About Us||Search||Contact Info|
With a web-based measurement tool called a "web tripwire," we found that approximately 1% of 50,000 visitors received pages that had been changed "in-flight." Most of these changes were caused by software that users installed on their computer (such as personal firewalls or ad blockers), but many were caused by agents in the network, such as ISPs and enterprise firewalls. Worse, we found that many of the products that users installed introduced bugs or security vulnerabilities into the web pages they requested.
The rest of this page provides more information about the results of the measurement study we conducted with web tripwires (once hosted on vancouver.cs.washington.edu), and how you can use web tripwires on your own web pages. We have a web tripwire installed on this page, and its results should be shown at the top of the page. Further details about our study are available in several forms:
More information about how the web tripwire works can be found on the page linked above. At a basic level, it detects most textual changes to the page's HTML. It is not triggered by browser extensions (which are part of the browser), but it will detect proxy software installed on the user's computer. It is also not secure: adversaries could tamper with or remove the web tripwire if they wish to avoid detection. In most current cases, however, it will detect any changes to the page.
|Popup Blocker||277||Zone Alarm (210), CA Personal Firewall (17), Sunbelt Popup Killer (12)|
|Ad Blocker||188||Ad Muncher (99), Privoxy (58), Proxomitron (25)|
|Problem in Transit||118||Blank Page (107), Incomplete Page (7)|
|Compression||30||bmi.js (23), Newlines removed (6), Image Distillation (1)|
|Security or Privacy||17||Blue Coat (15), The Cloak (1), AnchorFree (1)|
|Ad Injector||16||MetroFi (6), FairEagle/NebuAd (5), LokBox (1), Front Porch (1), PerfTech (1), Edge Technologies (1)|
|Meta Tag Changes||12||Removed meta tags (8), Reformatted meta tags (4)|
|Malware||3||W32.Arpiframe (2), Adware.LinkMaker (1)|
|Miscellaneous||3||New background color (1), IE Mark of the Web (1)|
These changes were made by agents that had incentives to change the page, but their goals were not always in line with the goals of the user or the publisher. For example:
Worse than this, we found several types of page changes that caused our page to become vulnerable to a cross site scripting (XSS) attack. Products such as Ad Muncher and the Sidki and Grypen filter sets for Proxomitron introduced code that was vulnerable to attack. These vulnerabilities were significant because they affected most or all of the web pages that a user visited. In the case of Proxomitron (but not Ad Muncher), the vulnerabilities could affect HTTPS traffic as well. This type of problem is analogous to a root exploit for an operating system, because it can potentially affect all pages that a user visits.
In these cases, an attacker could convince a user to follow a link that injected script code into almost any web page. This script code could steal a user's session cookie (e.g., on Facebook), modify login forms to steal passwords (e.g., on many banks), or manipulate the contents of any page (e.g., search results on Google).
We have reported the vulnerabilities we found, and the developers have released versions that fix the vulnerabilities as of Fall 2007. If you are using older versions of the products above, be sure to update as soon as possible.
Overall, these problems indicate that web page rewriting software can have dangerous consequences if it is not carefully analyzed. Users should understand these consequences when using web proxies.
To make web tripwires easy to deploy, we have developed a configurable toolkit that can be hosted by a web publisher. The toolkit is available under a BSD-style open source license, and it is effective for most web pages with static content. It consists of two Perl CGI scripts that integrate web tripwires into a given web page.
Download Web Tripwire Toolkit
Web Tripwire Toolkit License
Copyright (c) 2007 Charles Reis All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University of Washington nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Two examples of pages that use the toolkit are linked below.
Computer Science & Engineering|
University of Washington
Seattle, WA 98195-2350
(206) 543-1695 voice, (206) 543-2969 FAX
[comments to creis]