[Cryptography] Using crypto to address clickjacking (was "Re: Augmented Reality Encrypted Displays")

[Kevin W. Wall]

On Fri, Aug 28, 2015 at 2:53 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
> At 10:09 AM 8/28/2015, Phillip Hallam-Baker wrote:
>>On Thu, Aug 27, 2015 at 9:55 PM, Ray Dillinger <bear at sonic.net> wrote:
>>
>>On 08/22/2015 08:22 AM, Henry Baker wrote:
>>
>>> Visual cryptography [26] is a cryptographic secret-sharing
>>> scheme where visual information is split into multiple shares,
>>> such that one share by itself is indiscernible from random
>>> noise.
>
> The web may be *forced* into using something like "visual
> cryptography" in order to get around "clickjacking", whereby
> the user is tricked into clicking on the wrong button (or the
> right button for the wrong reasons).  It's getting harder &
> harder for a web site to know & guarantee that what it thinks
> is being displayed is actually what a user sees & is agreeing
> to.  See Dan Kaminsky's recent DEFCON talk for more info:

Slightly OT for crypto, but I'll toss this out. I just think crypto
is overkill for addressing clickjacking attacks.

Just about every recent version of every modern browser supports
the X-Frame-Options HTTP response header which, when used
correctly and consistently, is effective in preventing all known
clickjacking (aka, UI redress) attacks. It's also dirt simple to
deploy and can even be deployed separate from the application
in a reverse proxy (e.g., in Apache HTTPD using mod_headers
and mod_proxy). Defeating clickjacking is not going to require
some complicated crypto-based solution. In fact, it is among
the simplest web-based attacks to prevent. The reason that it
is so prevalent has more to do with developer ignorance than
any other reason.  (That and many applications think they are
already defeating it with very simplistic anti-framing JavaScript
code which is usually easily defeated. A JavaScript solution
is also possible [and useful for older browsers], but it requires
more than the naive JavaScript solutions normally deployed.) Using
Content Security Policy is another way to address clickjacking attacks
that can provide finer grained control, but CSP is much more difficult
to deploy.

If you're concerned about clickjacking in malvertising that Kaminsky
refers to because the developers are lax in protecting you, you can
always use NoScript plugin in Firefox. (That prevents you from some
pretty nasty Cross-Site Scripting attacks as well.) Ultimately though,
a solution similar to W3C's IronFrame proposal that Kaminsky talked
about will probably become THE clickjacking solution if only because
we can't count on web developers to secure their applications from
this attack. (If we could, this attack would have been wiped out
by now.) And while NoScript is great for security, it's a little
more intrusive than most users are willing to tolerate and it only
works on Firefox, so we need a general solution that is part of the
browser. It was hoped that X-Frame-Options would be that solution,
but unfortunately that requires the cooperation of web developers
who are actually aware of the clickjacking issues and care enough
to fix it.

-kevin
--
NSA: All your crypto bits are belong to us.