Security &emdash; or the lack thereof &emdash; looms as the major stumbling block threatening the growth of electronic commerce. Now comes word of a major security flaw in the World Wide Web known as "Web spoofing." According to Edward Felten, head of Princeton University's Safe Internet Programming Team (SIP) (http://www.cs.princeton.edu/sip), this breach allows any Internet server to place itself between a user and the rest of the Web. In that middle position, the server may observe, steal and alter any information passing between the unfortunate browser and the Web.
Felten's discovery applies to all major Web browsers currently in use, including Netscape Navigator and Microsoft Internet Explorer. Using Web spoofing, a person can acquire passwords, credit card numbers, account numbers, and other private information, even if transmitted over an apparently secure connection. Felten presented his findings at the Internet World Expo held in December in New York City.
According to Felten, "Web spoofing is a kind of electronic con game in which the attacker creates a convincing but false copy of the entire Web. The false Web looks just like the real one: it has all the same pages and links. However, the attacker controls the false Web, so that all network traffic between the victim's browser and the Web goes through the attacker." He compared Web spoofing to phony ATM machines, in which a bank card user is led to believe he or she is actually entering their personal identification numbers (PINs) into a secure automated teller, when in reality they are being conned by a bogus ATM "shell."
As Felten explained, Web spoofing allows somebody to monitor all of the victim's activities, including any passwords or account numbers being entered. The attacker is also able to cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. "In short," Felten warned, "the attacker observes and controls everything the victim does on the Web."
The key to foiling Web spoofing is to be able to identify when a phony URL appears in the browser's location line. Felten's team has come up with the following short-term solution:
"This strategy," he suggested, "will significantly lower the risk of attack, though you could still be victimized if you are not conscientious about watching the location line." The Princeton SIP team has not yet identified a fully satisfactory long-term solution to this problem, although changing browsers so they always display the location line seems to be of some help.
Caveat emptor.