This problem set is due Monday November 9, at 11:59pm.
You can work together on this homework with others if you want, but your writeup must be your own. You may use any source you like (including other papers or textbooks), but if you use any source not discussed in class, you must cite it.
Clarification (added 11/3): You can submit the homework by emailing it to cs261hw2@taverner.cs.berkeley.edu.
Suppose I come up with a super-sekrit ultra-c00l new attack on browsers. In particular, I have a special URL, and if I can get your browser to visit that URL, then you are totally owned: I can take control of your browser and your account. List three or four ways I could cost-effectively get a large number of users to follow a link to my special URL.
Next week Google comes up with a clever way to enable users to log into third-party web sites using their Google account, without needing a separate account or a password for the third-party site. Here's an example illustrating how their scheme works. In this example, third-party site Flyertalk decides to take advantage of this scheme to enable Google users to log into Flyertalk using their Google account and Google password.
Background: A secure cookie is one with a special flag set so that it will only be returned back to Google over https (it is never sent over any http connection). A persistent cookie is one with a special flag set so that it never expires, and is retained by my browser even if I close the browser and start it up again.
(a) How well does Google's scheme resist phishing attacks?
(b) How well does Google's scheme resist DNS spoofing attacks, if the attacker controls part or all of DNS?
(c) How well does Google's scheme resist eavesdropping attacks, if the attacker can eavesdrop on my communications? (e.g., I log into Flyertalk over an unencrypted wireless connection to the Internet.)
(d) Why is it important that Google's scheme include the third-party site (flyertalk.com) in the identifier?
(e) Are there any other attacks or security concerns with Google's scheme?
Clarification (added 11/3): In Step 5, Google obtains the name of the third-party site by parsing the content of the to=... field in the URL to extract the domain name of the third-party site.
You've been assigned two htmlfilter implementations that were submitted to me in HW1. Your goal: assess whether they implementations meet the security goals set out in HW1. (You do not need to review how well they meet the functionality requirements.)
To begin, I will email you your assigned implementations. Implementations are identified by a two-digit code (e.g., 17.tar); I will assign you two of those implementations. Download those two implementations from this directory. Critique the design and implementation of both.
(a) What is the two-digit ID number of your first assigned implementation? What are its main security weaknesses? Or, if you found none, what are the best features of its design/implementation?
(b) What is the two-digit ID number of your second assigned implementation? What are its main security weaknesses? Or, if you found none, what are the best features of its design/implementation?
(c) If you were forced to choose between these two implementations, which one would you judge to be more likely to meet its security goals? Why?
Promise: Your answers on this homework will not affect the grades of anyone else. You can feel free to critique an implementation honestly and frankly without fearing that your comments will have any negative effect on that person's grade. Grades for HW1 will have already been assigned by the time I see your solution. I will not show your evaluation to the authors of your assigned implementations.