Carnegie Mellon system thwarts Internet eavesdropping

August 25, 2008

PITTSBURGH--The growth of shared Wi-Fi and other wireless computer networks has increased the risk of eavesdropping on Internet communications, but researchers at Carnegie Mellon University's School of Computer Science and College of Engineering have devised a low-cost system that can thwart these "Man-in-the-Middle" (MitM) attacks.

The system, called Perspectives, also can protect against attacks related to a recently disclosed software flaw in the Domain Name System (DNS), the Internet phone book used to route messages between computers.

The researchers -- David Andersen, assistant professor of computer science, Adrian Perrig, associate professor of electrical and computer engineering and public policy, and Dan Wendlandt, a Ph.D. student in computer science -- have incorporated Perspectives into an extension for the popular Mozilla Firefox v3 browser than can be downloaded free of charge at www.cs.cmu.edu/~perspectives/firefox.html.

Perspectives employs a set of friendly sites, or "notaries," that can aid in authenticating Web sites for financial services, online retailers and other transactions requiring secure communications. By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information, called a digital certificate, in response. If one or more notaries report authentication information that is different than that received by the browser or other notaries, a computer user would have reason to suspect that an attacker has compromised the connection.

Certificate authorities, such as VeriSign, Comodo and GoDaddy, already help authenticate Web sites and reduce the risk of MitM attacks. The Perspectives system provides an extra measure of security in those cases but will be especially useful for the growing number of sites that do not use certificate authorities and instead use less expensive "self-signed" certificates.

"When Firefox users click on a Web site that uses a self-signed certificate, they get a security error message that leaves many people bewildered," Andersen said. Once Perspectives has been installed in the browser, however, it can automatically override the security error page without disturbing the user if the site appears legitimate.

The system also can detect if one of the certificate authorities may have been tricked into authenticating a bogus Web site and warn the Firefox user that the site is suspicious. "Perspectives provides an additional level of safety to browse the Internet," Perrig said. "To the security conscious user, that is a significant comfort."

Andersen said the increased use of wireless connections to the Internet has increased the risk of MitM attacks. These occur when an attacker tricks a computer user into believing that the user has established a secure link with a target site, such as a bank. In actuality, the computer user is communicating with the attacker's computer, which can eavesdrop as it relays communications between the user and the target site.

"It's very, very, very easy for someone to convince you to go through their computer" when making connections through public Wi-Fi, Andersen said. A user who thinks he is linked to an airport or coffee shop "hot spot," for instance, might actually be linked to a laptop of someone just a few seats away. "A lot of people wouldn't even know they've been attacked," he added.

Most Internet communications, such as to standard hypertext transfer protocol (HTTP) sites, are unsecured, but those involving encryption over a secured socket layer (SSL) and those using secure shell (SSH) protocol, which involves the use of a login and password, require that sites authenticate themselves with a digital certificate containing a so-called public key, which is used for encryption.

The exchange of this security information typically occurs without the computer user being aware of it. But when something isn't quite right, a dialogue box such as "Unable to verify the identity of XYZ.com as a trusted site" is displayed by the Web browser.

"Most users don't have a clue about what to do in those cases," Wendlandt said. "A lot of them just shrug and go ahead with the connection, potentially opening themselves up to attack."

A vulnerability disclosed in July in the DNS software poses a different problem for computer users, but one that also is addressed by Perspectives. The software flaw could enable an attack against an Internet Service Provider (ISP) that would cause the ISP to connect users with a malicious site instead of the legitimate site they were seeking. "With Perspectives, even if a client's ISP has fallen victim to the attack, the client will be able to detect that the public key received from the fake site is inconsistent with the results returned from the notaries," Wendlandt said.
-end-
Andersen, Perrig and Wendlandt have launched their own publicly available network of notary sites. They anticipate that ISPs, universities and large companies will eventually sponsor additional notary sites, in the same way that they voluntarily provide time servers and network diagnosis sites. More information is available at www.cs.cmu.edu/~perspectives/

This work was supported in part by Carnegie Mellon's CyLab under grants from the Army Research Office and the National Science Foundation, as well as by the Department of Homeland Security.

About Carnegie Mellon: Carnegie Mellon is a private research university with a distinctive mix of programs in engineering, computer science, robotics, business, public policy, fine arts and the humanities. More than 10,000 undergraduate and graduate students receive an education characterized by its focus on creating and implementing solutions for real problems, interdisciplinary collaboration, and innovation. A small student-to-faculty ratio provides an opportunity for close interaction between students and professors. While technology is pervasive on its 144-acre Pittsburgh campus, Carnegie Mellon is also distinctive among leading research universities for the world-renowned programs in its College of Fine Arts. A global university, Carnegie Mellon has campuses in Silicon Valley, Calif., and Qatar, and programs in Asia, Australia and Europe. For more, see www.cmu.edu.

Carnegie Mellon University

Related Computer Articles from Brightsurf:

UCLA computer scientists set benchmarks to optimize quantum computer performance
Two UCLA computer scientists have shown that existing compilers, which tell quantum computers how to use their circuits to execute quantum programs, inhibit the computers' ability to achieve optimal performance.

Digitize your dog into a computer game
Researchers from CAMERA at the University of Bath have developed motion capture technology that enables you to digitise your dog without a motion capture suit and using only one camera.

Stabilizing brain-computer interfaces
Researchers from Carnegie Mellon University (CMU) and the University of Pittsburgh (Pitt) have published research in Nature Biomedical Engineering that will drastically improve brain-computer interfaces and their ability to remain stabilized during use, greatly reducing or potentially eliminating the need to recalibrate these devices during or between experiments.

Computer-generated genomes
Professor Beat Christen, ETH Zurich to speak in the AAAS 2020 session, 'Synthetic Biology: Digital Design of Living Systems.' Christen will describe how computational algorithms paired with chemical DNA synthesis enable digital manufacturing of biological systems up to the size of entire microbial genomes.

Computer-based weather forecast: New algorithm outperforms mainframe computer systems
The exponential growth in computer processing power seen over the past 60 years may soon come to a halt.

A computer that understands how you feel
Neuroscientists have developed a brain-inspired computer system that can look at an image and determine what emotion it evokes in people.

Computer program looks five minutes into the future
Scientists from the University of Bonn have developed software that can look minutes into the future: The program learns the typical sequence of actions, such as cooking, from video sequences.

Computer redesigns enzyme
University of Groningen biotechnologists used a computational method to redesign aspartase and convert it to a catalyst for asymmetric hydroamination reactions.

Mining for gold with a computer
Engineers from Texas A&M University and Virginia Tech report important new insights into nanoporous gold -- a material with growing applications in several areas, including energy storage and biomedical devices -- all without stepping into a lab.

Teaching quantum physics to a computer
An international collaboration led by ETH physicists has used machine learning to teach a computer how to predict the outcomes of quantum experiments.

Read More: Computer News and Computer Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.