Birth of a Security Feature: ClickJacking Defense

Posted by vasudev on February 3 2009, 10:41 AM. Posted in Internet Explorer.

 

Kymberlee Price, Security Program Manager for IE8 posts about Clickjacking feature in IE8 RC1

..........Frame-breaking Javascript is often presented as an anti-ClickJack mechanism, but it is a flawed solution as there are methods to circumvent frame-breaking Javascript. And fundamentally frame breakers were never meant to be ClickJacking mitigations. If you don’t design something to prevent a security vulnerability, odds are that it doesn’t do a very good job of doing it accidentally.

Browser configuration options are limited.Short of using Security Zones or add-ons to disable frames and script (massively impairing browser utility), browser users are very vulnerable to this type of attack.

So we found ourselves in a situation where IE didn't have a workable mitigation for end-users to protect themselves, and we knew of ways to circumvent virtually everything that a server could try to do to prevent ClickJacking without additional help from the browser platform.  The “unbeatable” mechanisms would require extensive changes to web application code and it would be difficult to get such recommendations taken seriously. 

It was time to look at developing a new solution. David Ross prototyped a tool that on cursor hover would delay the user's ability to click through for 5 seconds while showing the user what site/domain they were ACTUALLY about to click on. While this would certainly let the user make an informed decision before clicking, it would also create a significant user impact to web browsing. ClickJacking is actually a fairly narrow attack that represents a subset of the significantly larger cross-site-request-forgery problem.  If a website doesn’t protect itself from CSRF threats, attackers need not bother with ClickJacking at all. Given the nature of the threat, creating a defense mechanism that puts a heavy burden on the browsing experience for users is unacceptable.

Ultimately, we concluded that the best ClickJacking defense feature we could add to IE8 during product development would be to allow the content owner to decide if their content should be framed or not, and for the browser to enforce that. This solution was also proposed by Michael Zalewski on the WHATWG forum.........................Full Story At Source