securing web content
play

Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov - PowerPoint PPT Presentation

Sep 06, 2022 •151 likes •464 views

Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov and Mark Allman ReArch'09 Rome, December 1 s t 2009 2009-12-01 2009-12-01 How do we protect the user without dwarfing the web experience? Nature of the web has changed

  1. Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov and Mark Allman ReArch'09 Rome, December 1 s t 2009

  2. 2009-12-01

  3. 2009-12-01

  4. How do we protect the user without dwarfing the web experience? • Nature of the web has changed • Simple hyperlinked documents -> complex collages – Mashups, cross-site delegation, Flash, JavaScript.. • Single producer -> collection of providers • Security model outdated 2009-12-01

  5. Securing content • Add accountability to individual content components • Handled according to the preferences and experiences of the user – Opportunistic Personas – History with an actor, the trackrecord 2009-12-01

  6. Securing the page structure • Sign the page with the site's key – Integrity (as in SSL) • Sets the general attitude – Browser caches, pre-filled input fields – Detect phishing attempts 2009-12-01

  7. Content components • Add signature to HTML content blocks – <div>s – Signature and key as attributes • Different strategies – Sign tag contents as-is – Decorate the tag interiors • Fill child elements with data from a signed block 2009-12-01

  8. Decoration example ● op_* attributes identifies the div <div id="sdiv5" class="entry" op_data="header=Hi&message=Testing+123" op_signature="OyjONQTCAR6Mv/sBjRaF.." op_key="LS0tLS1CRUdJTiBQVUJMSUMgS0.."> <div>Posted 11:43:51</div> <div id="sdiv5_header"></div> <div id="sdiv5_message"></div> </div> 2009-12-01

  9. Decoration example ● op_* attributes identifies the div ● <div> s id is prefixed to the id of child elements <div id="sdiv5" class="entry" op_data="header=Hi&message=Testing+123" op_signature="OyjONQTCAR6Mv/sBjRaF.." op_key="LS0tLS1CRUdJTiBQVUJMSUMgS0.."> <div>Posted 11:43:51</div> <div id="sdiv5_header"></div> <div id="sdiv5_message"></div> </div> 2009-12-01

  10. Decoration example ● op_* attributes identifies the div ● <div> s id is prefixed to the id of child elements ● op_key and op_signature contain author's key & signature <div id="sdiv5" class="entry" op_data="header=Hi&message=Testing+123" op_signature="OyjONQTCAR6Mv/sBjRaF.." op_key="LS0tLS1CRUdJTiBQVUJMSUMgS0.."> <div>Posted 11:43:51</div> <div id="sdiv5_header"></div> <div id="sdiv5_message"></div> </div> 2009-12-01

  11. Decoration example ● op_* attributes identifies the div ● <div> s id is prefixed to the id of child elements ● op_key and op_signature contain author's key & signature ● op_data is the signed key-value data <div id="sdiv5" class="entry" op_data="header=Hi&message=Testing+123" op_signature="OyjONQTCAR6Mv/sBjRaF.." op_key="LS0tLS1CRUdJTiBQVUJMSUMgS0.."> <div>Posted 11:43:51</div> <div id="sdiv5_header"></div> <div id="sdiv5_message"></div> </div> 2009-12-01

  12. Decoration example ● op_* attributes identifies the div ● <div> s id is prefixed to the id of child elements ● op_key and op_signature contain author's key & signature ● op_data is the signed key-value data ● Data is inserted into child elements, matching value keys with element ids <div id="sdiv5" class="entry" op_data="header=Hi&message=Testing+123" op_signature="OyjONQTCAR6Mv/sBjRaF.." op_key="LS0tLS1CRUdJTiBQVUJMSUMgS0.."> <div>Posted 11:43:51</div> <div id="sdiv5_header"></div> <div id="sdiv5" class="entry" <div id="sdiv5_message"></div> op_status="trusted"> </div> <div>Posted 11:43:51</div> <div id="sdiv5_header">Hi</div> <div id="sdiv5_message">Testing 123</div> 2009-12-01 </div>

  13. External content • External content can be included by signature in tag attributes – <img> <link> <video> etc. 2009-12-01

  14. Partnerships • Partners delivering dynamic content –Advertizers, CDNs, search bars • A method for indicating partnerships –Trust is not transitive –An indication to expect something • Include partner key in tag attributes 2009-12-01

  15. Trust and security policies • Framework: the opportunistic personas – Track record, Peer review, Web-of-Trust, Trust Databases • Knowledge of actors – What do we know about someone? – How do we know that? – How well? • Policies – Accept, ignore, sanitize, sandbox 2009-12-01

  16. Prototype • FireFox plugin, persona (key-) daemon and server library • Experimented with a subset – Page signatures – <div> tag signatures and decoration – External content – Signing content submissions (POSTs) • Server-side required only a user-space library • Persona daemon provided the track record – Recorded keys from web, e-mail, P2P IM and VoIP – Provided statements about actors • “You trust this person, knowing him well (through browsing and e-mails)” • Simple security policies 2009-12-01

  17. Conclusions • The way the web is composed today provides plenty of opportunities for malicious activity • Our model points out the content that sites will not vouch for 2009-12-01

  18. Thank you for your attention! joakim.koskela@hiit.fi http://www.hiit.fi/netwr http://www.icsi.berkeley.edu 2009-12-01

  19. 2009-12-01

  20. Four parts • Securing the page structure • Content components • External content • Partnerships 2009-12-01

  21. 2009-12-01

  22. 2009-12-01

  23. 2009-12-01

  24. 2009-12-01

  25. 2009-12-01

  26. 2009-12-01

  27. 2009-12-01

  28. 2009-12-01

  29. 2009-12-01

  30. 2009-12-01

Recommend

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
Securing Content Sharing over ICN Nikos Fotiou, George C. Polyzos fotiou@aueb.gr,

Securing Content Sharing over ICN Nikos Fotiou, George C. Polyzos fotiou@aueb.gr,

Securing Content Sharing over ICN Nikos Fotiou, George C. Polyzos fotiou@aueb.gr, polyzos@acm.org Mobile Multimedia Laboratory, Department of Informatics School of Information Sciences and Technology Athens University of Economics and Business

776 views • 45 slides
Proof of Novelty A distributed consensus mechanism for securing content novelty Daniel Severo

Proof of Novelty A distributed consensus mechanism for securing content novelty Daniel Severo

Motivation Trustworthiness Proof of Novelty Take-away points Open Questions and Future Work Proof of Novelty A distributed consensus mechanism for securing content novelty Daniel Severo Independent Scientist Virtual Design Challenge The

720 views • 36 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Securing The Web Browser Keeping the Phish in the Sea What is Wrong With This? Where to Begin?

Securing The Web Browser Keeping the Phish in the Sea What is Wrong With This? Where to Begin?

Securing The Web Browser Keeping the Phish in the Sea What is Wrong With This? Where to Begin? Security indicator only in the content region Notice that it is used for personal data that should be secure No access to the location or

933 views • 21 slides
Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses in Arizona Arizona L. William Staudenmaier One Arizona Center 400 East Van Buren Street, Suite 1900 Phoenix, Arizona 85004 2202 602.382.6000 |

574 views • 32 slides
Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS

Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS

Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS Industry-United Initiative ............................................ 2 The TAA Difference .................................................... 3 Life After

466 views • 19 slides
Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Jobtalk Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton University Based on work with: Based on work with: Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran, Jennifer Rexford, Eran

1.12k views • 42 slides
Securing Brow ser Frame Navigation and Communication Collin Jackson Joint work with Adam Barth

Securing Brow ser Frame Navigation and Communication Collin Jackson Joint work with Adam Barth

Securing Brow ser Frame Navigation and Communication Collin Jackson Joint work with Adam Barth and John C. Mitchell Why use frames? Modularity src = google.com/ name = awglogin Brings together content from multiple sources

330 views • 19 slides
Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with

Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with

Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with WPA3 personal Making Wi-Fi great again With security this time, right? Securing home Wi-Fi with WPA3 personal - July 3 rd 2020 2 Why is WPA3

853 views • 28 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 |

SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 |

NON-PROFIT PRESENTATION TIPS FOR NON-PROFIT PRESENTATION TIPS FOR SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 | info@212mediastudios.com Having an efgective communication strategy is the fjrst step for your

116 views • 9 slides
Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The

Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The

Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The Waiting Room Working with Audio Working with Video Using the Tool Tray Chat In the Meeting When Things Go Wrong 2 Securing Your

325 views • 14 slides
Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data Content provided by Presenter: Ray Cool, CEO PBSI Technology Solutions Webinar will begin at 10:00 Page 1 Series Goals Series Goals

146 views • 13 slides
Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K. MASMOUDI, K. MASMOUDI, H. AFIFI H. AFIFI Boston, 08/2004 6 th PCRD Integrated Project Goal : provide secure communication

450 views • 22 slides
LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile

LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile

LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile Phone Securing a Mobile Phone Securing a Mobile Phone Securing a Mobile Phone Can We Have it Both Ways? Safe Secure Privacy-friendly

892 views • 62 slides
Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL

Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL

Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL TIEMPO S.A.S. December 3, 2019 1 Outline Connected Objects Securing IoT with a hardware Secure Element Introduction Securing Treats

537 views • 10 slides
Securing RFID with Ultra-wideband Modulation Pengyuan Yu, Patrick Schaumont and Dong Ha

Securing RFID with Ultra-wideband Modulation Pengyuan Yu, Patrick Schaumont and Dong Ha

Securing RFID with Ultra-wideband Modulation Pengyuan Yu, Patrick Schaumont and Dong Ha Presented By: Eric Simpson Summary Traditional Secure Communications Securing the physical layer with UWB TH-PPM RFID digital baseband

386 views • 19 slides
- Securing Santas Sleigh - INET XMAS Presentation 2018 by Timo Hckel - Securing Santas

- Securing Santas Sleigh - INET XMAS Presentation 2018 by Timo Hckel - Securing Santas

- Securing Santas Sleigh - INET XMAS Presentation 2018 by Timo Hckel - Securing Santas Sleigh - INET XMAS Presentation 2018 by Timo Hckel Overview 1. Automotive Networks 2. SecVI Research Project 3. Software-Defined Networking

344 views • 31 slides
WHAT? DAMAGE TO THE CARGO The safe stowage and securing of cargoes depend on proper planning,

WHAT? DAMAGE TO THE CARGO The safe stowage and securing of cargoes depend on proper planning,

WHAT? DAMAGE TO THE CARGO The safe stowage and securing of cargoes depend on proper planning, execution and supervision. Personnel commissioned to tasks of cargo stowage and securing should be properly qualified and experienced. Monday, January

116 views • 7 slides
Securing &amp; Sustaining Mutual Fund Trust Status Tips &amp; Traps Portfolio

Securing &amp; Sustaining Mutual Fund Trust Status Tips &amp; Traps Portfolio

Securing &amp; Sustaining Mutual Fund Trust Status Tips &amp; Traps Portfolio Management Association of Canada Seminar Offices of McMillan LLP Toronto, Ontario September 21, 2011 Part I Securing and Sustaining Mutual Fund

816 views • 42 slides
The Role of Government in Securing the CAV Ecosystem Sevvy Palmer AESIN Security Conference,

The Role of Government in Securing the CAV Ecosystem Sevvy Palmer AESIN Security Conference,

The Role of Government in Securing the CAV Ecosystem Sevvy Palmer AESIN Security Conference, Glasgow, 16 th June 2016 The Role of Government in Securing the CAV Ecosystem 1 CAVs present tremendous opportunities safety efficiency mobility

393 views • 11 slides
Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides

More recommend