Patent Grant
9083727
Individuals are increasingly using the Internet to conduct financial and other sensitive transactions. For example, an individual might visit a bank website to check balance information or transfer money between accounts. Unfortunately, a variety of techniques are available to criminals and others with nefarious motives who wish to eavesdrop on or otherwise compromise the security that the individuals believe protect their transactions. As one example, unsuspecting users can be tricked into visiting a compromised or otherwise illegitimate copy of a legitimate website. As another example, the communications between the user and the legitimate website can be intercepted. Such communications can be intercepted even when protections such as TLS are employed, through the use of man-in-the-middle and other attacks.
Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
Suppose a user of client device 102 (hereinafter “Alice”) has a set of bank accounts with a financial institution known as “ACME Bank, Inc.” ACME Bank has a website 128 accessible via the URI: www.acmebank.secure. The top level domain (TLD) of the site is “.secure.” As will be described in more detail below, ACME Bank can also employ domains with other top level labels, such as “www.acmebank.com,” “www.acmebank.safe,” and/or “www.acmebank.bank” and can also redirect users to www.acmebank.secure from those domains if desired.
In some embodiments browser 104 has a Domain Name System (DNS) cache 110. If the resolution of www.acmebank.secure to an IP address is not present in cache 110, browser 104 connects with DNS resolver 114 provided by operating system 108 (e.g., via network subsystem 204). DNS resolver 114 has its own cache 112. If the resolution is not present in cache 112, DNS resolver 114 contacts the DNS resolver 120 of client 102's ISP 116. DNS resolver 120 has its own cache 118 and also a hints file usable to identify root nameservers such as root nameserver 122. If the resolution is not present in cache 118, DNS resolver 120 will iteratively query nameservers 122-126 until it ultimately receives an answer that includes an IP address for site 128. In various embodiments, each of the responses provided by each of the nameservers (whether a referral to another nameserver or the IP address) is DNSSEC signed. As shown, nameserver 124 is authoritative for the “.secure” TLD, and nameserver 126 is authoritative for the second level domain “acmebank.secure.” In various embodiments, caches 118, 112, and 110 are configured to cache the results of the DNS queries.
Included in browser 104 is a policy engine 208 that determines whether the TLD (e.g., “.secure”) of the site to which Alice is attempting access is included in a list of particular TLDs (also referred to herein as the list of “higher trust” TLDs). As will be described in more detail below, if a given TLD is included in the list, policy engine 208 determines an appropriate policy to be applied and enforces the policy.
In some embodiments, each of components 202-208 is included in the browser application by the browser vendor. In other embodiments, elements such as policy engine 208 are provided by one or more third parties (e.g., as a plugin or extension). Whenever browser 104 is described as performing a task, either a single component or a subset of components or all components of browser 104 may cooperate to perform the task. Similarly, whenever a component of browser 104 is described as performing a task, a subcomponent may perform the task and/or the component may perform the task in conjunction with other components.
Process 300 begins at 302 when a domain is received as input. As one example, the domain “www.acmebank.secure” is received as input at 302 when Alice types the address into the address bar in her browser. As another example, a domain is received as input as a result of a redirect (described in more detail below). As yet another example, a domain is received as input when Alice clicks on a hyperlink rendered in graphical user interface (GUI) 202 by rendering engine 206.
At 304, a determination is made that the domain is associated with a particular TLD. As one example, a determination is made that “www.acmebank.secure” is associated with the TLD, “.secure,” which appears in the list of higher trust TLDs stored by browser 104.
At 306, a policy is obtained. As one example, the policy is obtained from a nameserver, such as nameserver 124 or nameserver 126, as a DNS request described in more detail below. As another example, one or more default policies 210 (also referred to herein as “base policies”) are stored by browser 104 and an appropriate default policy is selected at 306. In some embodiments, browser 104 includes a policy database 212 (e.g., of cached policies previously obtained at 306 during other iterations of process 300). If an applicable policy is present in database 212, such a policy can be obtained at 306 as appropriate. As will be described in more detail below, the policy obtained at 306 can also be computed, such as by combining a policy received from nameserver 124 with default policy 210 to form a resultant policy. Also as will be explained in more detail below, different TLDs appearing in the browser's higher trust TLD list can have policies of varying stringency associated with them, respectively.
At 308, a determination is made as to whether connection information is consistent with the policy obtained at 306. As one example, the policy obtained at 306 can require that responses to DNS queries for domains under the “.secure” TLD be signed using DNSSEC. When Alice's browser 104 attempts to connect to www.acmebank.secure, policy engine 208 can determine whether the DNS resolution process makes use of the appropriate signatures. Requirements for other aspects of the connection can also be specified in the policy, as explained in more detail below in the section titled “Domain Policy Language.”
At 310, content is displayed based on the determination performed at 308. Various examples of such content being displayed are depicted in
Domain Policy Language
Overview
Top level (and second level/sub domains, as applicable) can communicate policies to applications such as applications 104 and 106 using the Domain Policy Framework (DPF). In some embodiments the DPF uses the DNS system to publish policies. As one example, the record itself can be extended to support the inclusion of additional information. As another example, DPF policies (also referred to herein as “records”) can be separately stored in reserved zones under the control of participating TLDs. For a domain of pattern domain.tld, the domain policy would be stored as a TXT record for domain._policy.tld. For the example domain of www.acmebank.secure, the DPF record would thus be stored under www.acmebank._policy.secure. The use of the “_policy” second level domain (or other appropriate domain) allows for the deployment of DPF without ICANN's permission. It also forces TLD registries to use alternate DNS secondaries to publish the _policy zone. TLD registries can also publish a blank policy using only the DPFv entry. This will provide maximum compatibility and allow for DPF records to be published by the incumbent TLDs.
A DPF aware client, such as browser application 104, examines the domains it receives as input (e.g., at 302 in process 300) and looks up the TLD in its table. If the TLD is present in the table, it makes two parallel DNS requests, one for the host (www.acmebank.secure) and one for the policy (www.acmebank._policy.secure). DPF TXT records are cached throughout the DNS system in parallel to their associated host records.
Example Syntax
The following is one example of a syntax for properly formatted DPF records. The example syntax is human readable and can be modified or adapted as applicable. A DPF record contains a list of name value pairs bonded by the ASCII=sign. The pairs are separated by semi-colons with an optional trailing whitespace. As an example:
(1) name1=value1; name2=value2; name3=value3;
In example (1), an optional space is present between the second and third pairs, and the semi-colon is present behind the final pair.
The DPF record begins with a version field:
(2) DPFv=1
The other name value pairs can be in any order, and any tokenizing is insensitive to the order of values.
The characters in the name fields and the separating characters are encoded as 7-bit ASCII. Except for the organization identification field, all of the characters in the value field are also encoded as 7-bit ASCII. Interpretation of all fields is case insensitive, but case sensitivity can be preserved (e.g., for characters in free text fields) in situations where the value is displayed to a user. Names may be of length of up to eight consecutive alphanumeric characters. Values can be of the following four types:
Booleans: Encoded as a 1 for TRUE and 0 for FALSE. No other values are valid in a Boolean.
Integers: A 32-bit unsigned integer value between 0 and 232-1, expressed in BASE10 using ASCII Arabic numerals.
BASE64 Encoded
Free Text Fields: Free text delimited by ASCII double quote characters. A free text field can contain upper-case alphabetical, lower-case alphabetical, and numeric characters. Some special characters are allowed, such as space and underscore.
DPF Entries
A name-value pair for which the value is of either the Boolean or Integer type is also referred to herein as a “DPF entry.” DPF entries correspond to a single security action that can be taken by a DPF client. Boolean TRUE values are more secure than FALSE values. Integer entries increase in value as the expected security benefit increases. In situations where future intermediate values may be necessary, values can be reserved for future use.
A set of DPF entries published by a domain is also referred to herein as a “DPF policy.” DPF versions are iterative, and the meanings of entry names assigned in previous versions are not modified by subsequent versions.
Entries can exist for many types of protocols (e.g., HTTP, SMTP), and such entries can be mixed together in shared policies. Clients are configured to ignore any entries that they do not understand, and continue to implement the entries they do understand. The following are tables of example DPF entries.
Additional examples of content-oriented DPF entries include ones permitting or disallowing the use of iframes, JavaScript, and/or cross-domain includes in web pages rendered by browser 104, and requiring email messages to be rendered in plaintext only by mail client 106.
Base and Resultant Policies
As explained above, in some embodiments DPF policies are delivered via DNS. In situations where the DPF is intentionally blocked by an attacker, the DPF record is modified, and/or where there is an inadvertent failure of DNSSEC, end-users are still able to connect securely to the requested domain through the use of default policy 210. Each domain registry participating in the DPF can publish, out of band, the minimal requirements of their TLD. One example of a default policy 210 is as follows:
(3) DPFv=1; HTLS=12; DNSSEC=2; STLS=1
If browser 104 is not able to receive or validate a DPF record, the browser falls back on the default policy 210 accordingly. If the browser does receive a DPF record (e.g., via a DNS request to www.acmebank._policy.secure), in some embodiments it calculates a resultant policy. One way to determine a resultant policy is through the use of monotonically increasing values in order of security; the larger of the two values is used. As one example:
(4) Base Policy: DPFv=1; HTLS=12; DNSSEC=2; STLS=1;
(5) Received Policy: DPFv=2; HTLS=13; STLS=0;
(6) Resultant Policy: DPFv=2; HTLS=13; DNSSEC=2; STLS=1;
In some embodiments, resultant policies are cached in database policy database 212.
TLD Redirection
HTTP Strict Transport Security (HSTS) can be used by websites to signal to user-agents their desire to only be accessed using HTTPS. In some embodiments, HSTS is extended to perform an additional function: to allow for permanent redirects from one TLD (e.g., “.com”) to another (e.g., “.secure”).
At 604, the browser connects to www.acmebank.com using plaintext HTTP. The response from www.acmebank.com contains an instant 301 Redirect to https://www.acmebank.com, to which the browser connects at 606. The response from https://www.acmebank.com contains a 301 Redirect to https://www.acmebank.secure as well as the following HTTP header:
(7) Strict-Transport-Security: max-age=15768000; includeSubDomains; newTLD=secure;
At 608, the browser connects to www.acmebank.secure, and, at 610 caches the redirect in a local HSTS database. The next time Alice types “www.acmebank.com” into her address bar, browser 104 will automatically rewrite it as https://www.acmebank.secure and connect directly.
Process 700 begins at 702 when a domain is received as input (e.g., “www.acmebank.com”). At 704 a determination is made as to whether or not the TLD (e.g., “.com”) is in the browser's list of higher trust TLDs. Suppose that “.com” is not. At 706, a determination is made as to whether the domain is in the browser's HSTS cache. If not, at 708, an HTTP request is performed using the received domain. A determination (710) is made as to whether the response includes a redirect/HSTS. If it does not, traditional browser behavior is resumed (712). If the response does include a redirect/HSTS, the domain is added to the HSTS cache (714). If the domain is already in the HSTS cache, the received domain is rewritten at 716 (e.g., as “www.acmebank.secure”).
At 718, a DNS request is performed for a DPF policy. As explained above, one way the request can be performed is by making a request for the TXT record stored at www.acmebank._policy.secure. At 720, a determination is made as to whether a DPF record is received. If a DPF record is not received, a determination is made (722) as to whether the domain policy is available locally (e.g., in policy database 212 or as a default policy 210). If the policy is locally available, or if a DPF record is received but is not properly signed (724), the default policy is used to set a TLS context (726). In some embodiments, if the DPF record is received but not properly signed, browser 104 is configured to perform a local resolve through the root zone.
If a DPF record is received, and is properly signed, a resultant policy is calculated at 728. Finally, at 730, a connection is established using the DPF policy.
Using Domain Policies in Email Delivery
In some embodiments, each of components 208-212 is included within the spam processing engine by the vendor of the engine. In other embodiments, elements such as policy engine 808 are provided by one or more third parties (e.g., as a plugin or extension). Whenever system 802 is described as performing a task, either a single component or a subset of components or all components of system 802 may cooperate to perform the task. Similarly, whenever a component of system 802 is described as performing a task, a subcomponent may perform the task and/or the component may perform the task in conjunction with other components.
Process 900 begins at 902 when an email is received. As one example, suppose ACME Bank would legitimately like Alice to log into her bank account (e.g., to review a change in its privacy policies or to obtain tax documents). An administrator at ACME Bank (or an automated process) addresses an email to alice@webmail.com and causes the message to be sent. The message 816 is received by system 802 at 902.
At 904, a determination is made that the domain of the sender is associated with a particular TLD. As one example, a determination is made that “mx.acmebank.secure” (812) is associated with the TLD, “.secure,” which appears in the list of higher trust TLDs stored by system 802.
At 906, a policy is obtained. As one example, the policy is obtained from a nameserver, such as nameserver 814. In particular, system 802 sends a DNS request for acmebank._policy.secure and receives back a TXT record. A single record for acmebank._policy.secure can be used to specify policies applicable to both connections made to website 128 and the treatment of email messages sent by server 818. As explained above, clients (e.g., browser 104 and, in this example, system 102) can be configured to ignore any entries in the policy that they do not understand, and implement the entries that they do understand. Thus, if the acmebank._policy.secure policy includes a DKIM entry, browser 104 can ignore it. Similarly, if the acmebank._policy.secure policy includes an entry applicable to FTP (e.g., requiring the use of SSL for FTP), system 802 can ignore that entry. As with browser 104, system 802 can also make use of a default policy 810, policy database 812, and the calculation of resultant policies (described above) in obtaining policies at 906.
At 908, a determination is made as to whether delivery of the message is consistent with the policy obtained at 906. As one example, the policy obtained at 906 can require that sever 818 make use of STARTTLS and that version 1.3 of TLS be used. If server 818 does not comply with the policy, the reason may be that server 818 is misconfigured. Server 818 may also not comply with the policy because, instead of being owned and maintained by ACME Bank, the server may be owned/operated by an imposter.
Finally, at 910, the message is selectively delivered based on the determination made at 908. As one example, if the transmission of the message complies with the policy requirements (e.g., regarding STARTTLS or DKIM), the message is delivered to Alice's inbox at 910. As explained above, some of the policy entries can be content-specific. So, for example, a policy entry could require that email messages be delivered in plaintext or that messages not contain any URLs. A policy entry could also require that any messages sent by server 818 be signed, encrypted, etc. If the policy is not satisfied, the message is not delivered to Alice. In some embodiments, the message is silently removed. A warning message or other notification can also be delivered to Alice in lieu of the message, as applicable, informing Alice that the message did not comply with the policy and letting her know the reason. As will be described in more detail below, additional processing can also be performed on the message prior to delivery, such as traditional antispam analysis.
Process 1000 begins at 1002 when an email message is received (e.g., a message to alice@webmail.com sent by server 818). At 1004 a determination is made as to whether or not the TLD (e.g., “.secure”) is in the system's list of higher trust TLDs. If not, the message is delivered at 1006 (or traditional processing is performed prior to possible delivery).
Since “.secure” is in the list of higher trust TLDs, at 1008 a policy is requested (e.g., a DNS request for acmebank._policy.secure is sent by system 102). At 1010, the response is examined to see if it is DNSSEC signed. If the response is not appropriately signed, the local default policy 810 is used (1012). Other actions can also be taken in response to determining that the response is not DNSSEC signed, such as by system 102 performing a local resolve through the root zone. If the response is appropriately signed (1014), the policy will be used (or, a resultant policy is computed using the received policy and the default policy).
At 1016, the message is evaluated using both traditional antispam analysis, and also for compliance with the selected DPF policy. Policy engine 808 and any additional analyzers/engines can run in parallel or in series in determining whether the message “passes” all requirements for delivery (1018). If the message satisfies all requirements for delivery (e.g., its delivery does not violate the policy) the message is delivered at 1020. Otherwise (1022), the message is rejected.
In some embodiments, an indication that the message was sent by a domain associated with a higher trust TLD, that the message complied with a DPF record, etc. is presented to the user when the user accesses the message. For example, the “.secure” portion of the sender's email address (e.g., admin@acmebank.secure) can be rendered by webmail application 804 in bold. As another example, the legal name of the sender (“ACME Bank Inc.”) can be substituted for the domain portion of the email address when rendered by webmail application 804 to Alice. As yet another example, a lock symbol can be presented to the user in an inbox view; messages which have been verified can be bolded in an inbox view; etc.
Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.
| Number | Name | Date | Kind |
|---|---|---|---|
| 7451488 | Cooper et al. | Nov 2008 | B2 |
| 7467203 | Kang et al. | Dec 2008 | B2 |
| 7499865 | Aggarwal et al. | Mar 2009 | B2 |
| 7792994 | Hernacki | Sep 2010 | B1 |
| 7849502 | Bloch et al. | Dec 2010 | B1 |
| 7849507 | Bloch et al. | Dec 2010 | B1 |
| 7984163 | Almog | Jul 2011 | B2 |
| 8261351 | Thornwell et al. | Sep 2012 | B1 |
| 8347100 | Thornewell et al. | Jan 2013 | B1 |
| 8484694 | Diebler et al. | Jul 2013 | B2 |
| 20010052007 | Shigezumi | Dec 2001 | A1 |
| 20040006706 | Erlingsson | Jan 2004 | A1 |
| 20040030784 | Abdulhayoglu | Feb 2004 | A1 |
| 20040098485 | Larson et al. | May 2004 | A1 |
| 20040158720 | O'Brien | Aug 2004 | A1 |
| 20040193703 | Loewy et al. | Sep 2004 | A1 |
| 20050015626 | Chasin | Jan 2005 | A1 |
| 20050273841 | Freund | Dec 2005 | A1 |
| 20060021031 | Leahy et al. | Jan 2006 | A1 |
| 20060021050 | Cook et al. | Jan 2006 | A1 |
| 20060041938 | Ali | Feb 2006 | A1 |
| 20060047798 | Feinleib et al. | Mar 2006 | A1 |
| 20060167871 | Sorenson et al. | Jul 2006 | A1 |
| 20060230380 | Holmes et al. | Oct 2006 | A1 |
| 20070204040 | Cox | Aug 2007 | A1 |
| 20070214283 | Metke et al. | Sep 2007 | A1 |
| 20070214503 | Shulman et al. | Sep 2007 | A1 |
| 20080059628 | Parkinson | Mar 2008 | A1 |
| 20080140441 | Warner | Jun 2008 | A1 |
| 20080147837 | Klein et al. | Jun 2008 | A1 |
| 20080222694 | Nakae | Sep 2008 | A1 |
| 20090037976 | Teo et al. | Feb 2009 | A1 |
| 20090055929 | Lee et al. | Feb 2009 | A1 |
| 20090164582 | Dasgupta et al. | Jun 2009 | A1 |
| 20100049985 | Levow et al. | Feb 2010 | A1 |
| 20100094981 | Cordray et al. | Apr 2010 | A1 |
| 20100100957 | Graham et al. | Apr 2010 | A1 |
| 20100125895 | Shull et al. | May 2010 | A1 |
| 20100131646 | Drako | May 2010 | A1 |
| 20100191847 | Raleigh | Jul 2010 | A1 |
| 20110010426 | Lalonde et al. | Jan 2011 | A1 |
| 20110167474 | Sinha et al. | Jul 2011 | A1 |
| 20110182291 | Li et al. | Jul 2011 | A1 |
| 20110247073 | Surasathian | Oct 2011 | A1 |
| 20110258237 | Thomas | Oct 2011 | A1 |
| 20110276804 | Anzai et al. | Nov 2011 | A1 |
| 20110314152 | Loder | Dec 2011 | A1 |
| 20120131164 | Bryan et al. | May 2012 | A1 |
| 20120203904 | Niemela et al. | Aug 2012 | A1 |
| 20120303808 | Xie | Nov 2012 | A1 |
| 20130007540 | Angelsmark et al. | Jan 2013 | A1 |
| 20130097699 | Balupari et al. | Apr 2013 | A1 |
| 20130239209 | Young et al. | Sep 2013 | A1 |
| 20130276053 | Hugard et al. | Oct 2013 | A1 |
