1 / 6

web-key: Mashing with Permission

Explore the highlights and examples from the paper "Security vs. the Web" and join an open discussion on adding security properties to the Web without compromising its functionality. Topics include global identification, resource sharing, orthogonality, and more.

ssales
Download Presentation

web-key: Mashing with Permission

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. web-key: Mashing with Permission http://waterken.sf.net/web-key/ Highlights and examples from the paper, and an open discussion

  2. Security vs. the Web • Casualties of the username/password: • Global identification • Sharing a resource by passing a URL • Orthogonality • Hypertext can refer to a resource by URL only • Global scope • A URL means the same thing everywhere • Got us the Same Origin Policy

  3. Security vs. the Web • … and often doesn’t actually result in the security we wanted • Loss of global identification • User revolt to “something you know” • Loss of orthogonality • Pervasive prompting => phishing • Loss of global scope • XSRF: this global identifier means something different when you use it • My Access Control List doesn’t control access?

  4. The Web with security • What security properties can we add to the Web without breaking it and would they be useful in real applications? • A URL is a lot like a reference. • Capability-security gets its security from enforcing the properties of references. • Check the protocols and clients to see if it’s a good fit.

  5. The Web as capability system • Referer header almost makes the Web a dynamically scoped language • Some referential integrity from HTTPS • Windowing API in the browser is hysterical • Survivable, but does require some care • Address bar shows reference bits • Can mitigate or ignore if no one’s looking

  6. https://yurl.net/-/#kzqxsxbub4742a • Global Id, Orthogonality, Global Scope • Global id = Just click • Orthogonality = No prompting • Global scope = no XSRF • Global scope = no need for Same Origin • Global id = fine grained access for mashup

More Related