120 likes | 265 Views
CSCE 201 Web Browser Security Fall 2010. Web Evolution. Past: Human usage HTTP Static Web pages (HTML) Current: Human and some automated usage Interactive Web pages Web Services (WSDL, SOAP, SAML) Semantic Web (RDF, OWL, RuleML, Web databases)
E N D
Web Evolution • Past: Human usage • HTTP • Static Web pages (HTML) • Current: Human and some automated usage • Interactive Web pages • Web Services (WSDL, SOAP, SAML) • Semantic Web (RDF, OWL, RuleML, Web databases) • XML technology (data exchange, data representation) • Future: Semantic Web Services 2
ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB? 3
Fraud Information hiding Privacy Negotiation Protocol Analysis Access control Applications Data provenance Biometrics Semantic web security Security Trust Data mining Encryption Computer epidemic Anonymity Policy making Formal models Inference Control Information Assurance
Internet Attacks • Download browser code • Privacy attack • Web site attack during surfing • Email
Download browser code Internet Download HTML document With JavaScript HTML document With JavaScript Run JavaScript Web Server User’s computer JavaScript, Java, ActiveX
JavaScript • Not for standalone applications -- Resides inside HTML documents • Interpreted into machine understandable code • Can be downloaded automatically • Cannot read, write, create, delete, or list files • Has no networking capabilities • Can: capture and send user information
Java • Complete programming language – standalone applications • Java applets: downloaded with HTML • Can perform processing • May harm computer • Defense: sandbox • Signed vs. unsigned Java applets
ActiveX • Rules defining how applications under the Windows OS should share information • ActiveX controls (ad-ons): • Specific ways of implementing ActiveX • Can be activated through scripting languages or by HTML commands • Can perform functions similar to Java applets but directly access OS • Signed vs. unsigned
Privacy Attacks • Cookies: Web site to track whether a user has previously visited the site • User specific information, stored on the user’s computer • First-party cookie vs. third-party cookie • Can reveal browsing habits of the individuals • Adware: delivers unsolicitated advertising content • Pop-up windows
Attacks while surfing • Safe surfing? Passive surfing? • Redirecting web traffic: • Typing mistakes • Attacker: registering “wrong” URLs • Drive-by downloads • Use scripting to download malicious content • Spreading at an alarming rate
Internet Defenses • Popup blocker • Browser settings, e.g., IE Web browser: • Advanced security settings • Security zones • Restricting cookies