Search This Blog

Welcome to Machers Blog

Blogging the world of Technology and Testing which help people to build their career.

Monday, December 22, 2008

Google Chrome Receives Lowest Password Security Score

Safari Ties for Last Place
Translations

12/12/2008 — Google's new web browser may be fast and slim, but the password management features it offers are full of bugs. Chapin Information Services (CIS) reported critical vulnerabilities in this software during its beta period, all of which were unfixed at release time.

Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user's knowledge.

The destination where passwords are sent is not checked.
The location where passwords are requested is not checked.
Invisible form elements can trigger password management.
A technique described and demonstrated by CIS two years ago leveraged such vulnerabilities without using client-side scripting. The implication was that an attacker need not have full control over a target server or a victim's computer to obtain a password from their web browser.

These three problems, combined with seventeen others so far identified in Chrome's password manager, form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity.
Currently, the password manager that is closest to solving the first three problems is built into Opera 9.62. With invisible form elements deactivated, options to limit saved passwords to a single page, and partial destination checking, this is certainly one of the more worry-free products.

Also new to this round of testing is Safari 3.2 for Windows. Safari and Chrome are essentially tied for the worst password manager built into a major web browser. 3rd-party applications and plugins that were tested in July also tended to score very low overall, but still offered more inherent security than either Safari or Chrome.

For example, RoboForm, which scores much lower than Opera and Firefox, at least gives its user the comfort of knowing passwords won’t be saved or transmitted without their personal attention. Used in combination with a more reliable browser, it would also be free of the broken URI parsing CIS found in both Safari and Chrome.

Take your browser for a test drive in version 2.0 of our interactive password management demonstration at the CIS website.


CIS Testing Results
Test Performed
Opera 9.62
Firefox 3.0.4
Internet Explorer 7.0
Safari 3.2
Google Chrome 1.0

Action Authority Checked on Retrieval
PASSED
PASSED
FAILED
FAILED
FAILED

Action Authority Checked on Save
FAILED
PASSED
FAILED
FAILED
FAILED

Action Authority Raises Warnings
FAILED
FAILED
FAILED
FAILED
FAILED

Action Path Checked on Retrieval
FAILED
FAILED
FAILED
FAILED
FAILED

Action Path Checked on Save
FAILED
FAILED
FAILED
FAILED
FAILED

Action Scheme Checked on Retrieval
PASSED
PASSED
FAILED
FAILED
FAILED

Action Scheme Checked on Save
FAILED
PASSED
FAILED
FAILED
FAILED

Action Scheme Raises Warnings
FAILED
FAILED
FAILED
FAILED
FAILED

Action Scheme Prevented if Unsafe
FAILED
FAILED
FAILED
FAILED
FAILED

Autocomplete=Off Prevents Form Fills
FAILED
?
FAILED
FAILED
PASSED

Invisibility Prevents Form Fills
PASSED
FAILED
PASSED
PASSED
FAILED

Method Checked on Retrieval
FAILED
FAILED
FAILED
FAILED
PASSED

Method Raises Warnings
FAILED
FAILED
FAILED
FAILED
FAILED

Multiple Paths Per User Per Authority
FAILED
FAILED
FAILED
FAILED
FAILED

Multiple Ports Per User Per Host
FAILED
PASSED
FAILED
FAILED
FAILED

Multi. Schemes Per User Per Authority
FAILED
PASSED
FAILED
FAILED
FAILED

Page Path Checked on Retrieval
PASSED
FAILED
PASSED
FAILED
FAILED

Random Name Attr. Prevents Form Fills
PASSED
FAILED
FAILED
FAILED
FAILED

User Required for PW Retrieval
PASSED
FAILED
PASSED
FAILED
FAILED

User Required for PW Save
FAILED
FAILED
PASSED
PASSED
FAILED

Valid URIs Don't Break Anything
PASSED
PASSED
PASSED
FAILED
FAILED

Totals
7
7
5
2
2


* Google Chrome is the only PM that strictly adheres to the criteria for auto complete by disabling itself. Firefox 3.0.4 will avoid filling a password when the page loads, but the PM remains attached to password fields for filling passwords.

Test Descriptions
Action Authority Checked on Retrieval
To pass this test, the PM must never deliver a password to a domain other than the one to which the password was delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to a different website, then the PM has failed this test.

Action Authority Checked on Save
To pass this test, the PM must never overwrite the destination domain name of a password without explicit user interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a different website, and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish authorities on retrieval.

Action Authority Raises Warnings
To pass this test, the PM must warn the user if the action authority does not match the page authority. For example, if a login form at www.info-svc.com:80 points to google.com or to www.info-svc.com:81, and the PM allows a user to save or submit a password using this form without notice, then the PM has failed this test.

Action Path Checked on Retrieval
To pass this test, the PM must never deliver a password to a path other than the one to which the password was delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to a different parent directory, then the PM has failed this test.

Action Path Checked on Save
To pass this test, the PM must never overwrite the destination path of a password without explicit user interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a parent directory, and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish paths on retrieval.

Action Scheme Checked on Retrieval
To pass this test, the PM must never deliver a password using a protocol other than the one by which the password was delivered when it was saved. For example, if a password is saved on a self-referring web page, and then automatically filled in another form that uses e-mail to deliver the password, then the PM has failed this test.

Action Scheme Checked on Save
To pass this test, the PM must never overwrite the destination scheme of a password without explicit user interaction. For example, if a password is first saved on an http: form, and then re-saved on a form that uses https: or mailto: and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish schemes on retrieval.

Action Scheme Raises Warnings
To pass this test, the PM must warn the user if the action scheme is potentially unsafe or does not match the page scheme. For example, if a login form uses an e-mail application that will display the password on screen, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test.

Action Scheme Prevented if Unsafe
To pass this test, the PM must successfully abort a password delivery if requested by the user.

Autocomplete=Off Prevents Form Fills
To pass this test, the PM must never deliver a password when the auto complete attribute is present and set to "off".

Invisibility Prevents Form Fills
To pass this test, the PM must never deliver a password using a form that is not visible. For example, if a login form is present on a web page but has its display property set to none, and the PM automatically fills the form allowing the password to be transmitted despite being invisible, then the PM has failed this test.

Method Checked on Retrieval
To pass this test, the PM must never deliver a password using an HTTP method other than the one by which the password was delivered when it was saved. For example, if a password is saved on a form that uses POST, and then automatically filled in another form that uses GET to deliver the password, then the PM has failed this test.

Method Raises Warnings
To pass this test, the PM must warn the user if the password submission method is potentially unsafe. For example, if a login form uses GET, which causes the password to be added to the address bar, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test.

Multiple Paths per User per Authority
To pass this test, the PM must allow a user to save different passwords in different paths of a single domain using the same user name. Note the implicit requirement that a PM must distinguish paths in both the action URI and page URI.

Multiple Ports per User per Authority
To pass this test, the PM must allow a user to save different passwords using different ports on a single domain using the same user name. Note the implicit requirement that a PM must distinguish ports in both the action URI and page URI.

Multiple Schemes per User per Authority
To pass this test, the PM must allow a user to save different passwords using different schemes on a single domain using the same user name. Note the implicit requirement that a PM must distinguish schemes in both the action URI and page URI.

Page Path Checked on Retrieval
To pass this test, the PM must never deliver a password to a path other than the one at which the password was requested when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to the same path but is located in the parent directory, then the PM has failed this test.

Random Name Attribute Prevents Form Fills
To pass this test, the PM must never fill a password in a form field whose name attribute does not match the name of the field that was used to save the password.

User Required for Password Retrieval
To pass this test, the PM must never fill a password without explicit user interaction.

User Required for Password Save
To pass this test, the PM must never save or overwrite a password without explicit user interaction. For example, if a password is saved with a username, and then the same form is re-submitted with the same username and a different password, and the PM then fills the new password into forms instead of the original password, then the PM has failed this test.

Valid URIs Don't Break Anything
To pass this test, the PM must never submit a password to the wrong URI or fail to submit a password to a valid URI as a result of erroneous action attribute parsing. For example, if the action attribute value is "mailto:localpart@www.info-svc.com" and the PM delivers a password to "http://www.info-svc.com/mailto:localpart@www.info-svc.com" then the PM has failed this test.

No comments: