Content-based security for the web

Authors:
Alexander Afanasyev

University of California

University of California
View Profile

,
J. Alex Halderman

University of Michigan

University of Michigan
View Profile

,
Scott Ruoti

Brigham Young University

Brigham Young University
View Profile

,
Kent Seamons

Brigham Young University

Brigham Young University
View Profile

,
Yingdi Yu

University of California

University of California
View Profile

,
Daniel Zappala

Brigham Young University

Brigham Young University
View Profile

,
Lixia Zhang

University of California

University of California
View Profile

NSPW '16: Proceedings of the 2016 New Security Paradigms WorkshopSeptember 2016Pages 49–60https://doi.org/10.1145/3011883.3011890

Published:26 September 2016Publication History

NSPW '16: Proceedings of the 2016 New Security Paradigms Workshop

Pages 49–60

ABSTRACT

The World Wide Web has become the most common platform for building applications and delivering content. Yet despite years of research, the web continues to face severe security challenges related to data integrity and confidentiality. Rather than continuing the exploit-and-patch cycle, we propose addressing these challenges at an architectural level, by supplementing the web's existing connection-based and server-based security models with a new approach: content-based security. With this approach, content is directly signed and encrypted at rest, enabling it to be delivered via any path and then validated by the browser. We explore how this new architectural approach can be applied to the web and analyze its security benefits. We then discuss a broad research agenda to realize this vision and the challenges that must be overcome.

References

D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In 22nd ACM Conference on Computer and Communications Security (CCS), Oct. 2015. Google ScholarDigital Library
Akamai. Akamai website. https://www.akamai.com/. Accessed: September 23, 2015.Google Scholar
D. Akhawe, F. Braun, F. Marier, and J. Weinberger. Subresource integrity. http://www.w3.org/TR/2015/WD-SRI-20150916/, Sept. 2015. Accessed: September 23, 2015.Google Scholar
J. Angwin, J. Larson, C. Savage, J. Risen, H. Moltke, and L. Poitras. NSA spying relies on AT&T's 'extreme willingness to help'. https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help, 2015. Accessed: September 18, 2015.Google Scholar
Anthem. Statement regarding cyber attack against Anthem. https://www.anthem.com/health-insurance/about-us/pressreleasedetails/WI/2015/1813/statement-regarding-cyber-attack-against-anthem, 2015. Accessed: September 23, 2015.Google Scholar
N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt. DROWN: Breaking TLS with SSLv2. In 25th USENIX Security Symposium, Aug. 2016.Google Scholar
C. Babcock. 'Let's Encrypt' will try to secure the Internet. Information Week, 2015.Google Scholar
M. Backes, R. Gerling, S. Gerling, S. Nürnberger, D. Schröder, and M. Simkin. WebTrust---a comprehensive authenticity and integrity framework for HTTP. In 12th International Conference on Applied Cryptography and Network Security (ACNS), volume 8479, pages 401--418, 2014.Google ScholarCross Ref
R. Barnes. DANE: Taking TLS authentication to the next level using DNSSEC. IETF Journal, 2011.Google Scholar
R. Barnes. Use cases and requirements for JSON object signing and encryption (JOSE). RFC 7165, 2014.Google Scholar
A. Barth. The web origin concept. RFC 6454, Dec. 2011.Google Scholar
B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In 36th IEEE Symposium on Security and Privacy, pages 535--552, 2015. Google ScholarDigital Library
J. Burke, A. Horn, and A. Marianantoni. Authenticated lighting control using named data networking. Technical Report NDN-0011, NDN, October 2012.Google Scholar
B. Carpenter and S. Brim. Middleboxes: Taxonomy and issues. RFC 3234, Feb. 2002. Google ScholarDigital Library
T. Choi and M. G. Gouda. HTTPI: An HTTP with integrity. In 20th International Conference on Computer Communications and Networks (ICCCN), 2011.Google ScholarCross Ref
S. Christey and R. A. Martin. Vulnerability type distributions in CVE. https://cwe.mitre.org/documents/vuln-trends/index.html, 2007. Accessed: September 23, 2015.Google Scholar
Cisco. Cisco visual networking index: Forecast and methodology, 2014--2019. White Paper http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ip-ngn-ip-next-generation-network/white_paper_c11-481360.html, 2015. Accessed: September 23, 2015.Google Scholar
CloudFlare. CloudFlare one-click SSL. https://www.cloudflare.com/ssl. Accessed: September 23, 2015.Google Scholar
CloudFlare. CloudFlare website. https://www.cloudflare.com/. Accessed: September 23, 2015.Google Scholar
D. Crockford. Adsafe. http://www.adsafe.org/.Google Scholar
W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. Flowfox: a web browser with flexible and precise information flow control. In 19th ACM Conference on Computer and Communications Security (CCS), pages 748--759. ACM, 2012. Google ScholarDigital Library
J. B. Dennis and E. C. Van Horn. Programming semantics for multiprogrammed computations. Communications of the ACM, 9(3):143--155, 1966. Google ScholarDigital Library
Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS certificate ecosystem. In 13th ACM Internet Measurement Conference (IMC), 2013. Google ScholarDigital Library
Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. The matter of Heartbleed. In 14th ACM Internet Measurement Conference (IMC), 2015. Google ScholarDigital Library
P. Eckersley and J. Burns. The (decentralized) SSL observatory. Invited talk at 20th USENIX Security Symposium, 2011.Google Scholar
C. Evans and C. Palmer. Certificate pinning extension for HSTS. http://tools.ietf.org/html/draft-evans-palmer-hsts-pinning-00. Accessed: March 22, 2013.Google Scholar
C. Gaspard, S. Goldberg, W. Itani, E. Bertino, and C. Nita-Rotaru. SINE: Cache-friendly integrity for the web. In 5th IEEE Workshop on Secure Network Protocols (NPSec), pages 7--12, 2009.Google ScholarCross Ref
J. Gionta, P. Ning, and X. Zhang. iHTTP: Efficient authentication of non-confidential HTTP traffic. In 10th International Conference on Applied Cryptography and Network Security, pages 381--399, 2012. Google ScholarDigital Library
D. Grandon. Ashley Madison, a dating website, says hackers may have data on millions. http://www.nytimes.com/2015/07/21/technology/hacker-attack-reported-on-ashley-madison-a-dating-service.html, 2015. Accessed: September 23, 2015.Google Scholar
W. He, D. Akhawe, S. Jain, E. Shi, and D. Song. ShadowCrypt: Encrypted web applications for everyone. In 21st ACM Conference on Computer and Communications Security (CCS), pages 1028--1039, 2014. Google ScholarDigital Library
I. Hickson. HTML5 web messaging. http://www.w3.org/TR/2015/REC-webmessaging-20150519/. Accessed September 23, 2015.Google Scholar
P. Hoffman and J. Schlyter. The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. RFC 6698, 2012.Google Scholar
L. Ingram and M. Walfish. TreeHouse: JavaScript sandboxes to help web developers help themselves. In 2012 USENIX Annual Technical Conference. USENIX Association, 2012. Google ScholarDigital Library
C. Jackson and A. Barth. Beware of finer-grained origins. In Web 2.0 Security and Privacy (W2SP), 2008.Google Scholar
V. Jacobson. A new way to look at networking. https://www.youtube.com/watch?v=oCZMoY3q2uM, 2006.Google Scholar
V. Jacobson, D. K. Smetters, J. D. Thornton, M. F. Plass, N. H. Briggs, and R. L. Braynard. Networking named content. In 5th ACM International Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2009. Google ScholarDigital Library
G. Keizer. Hackers spied on 300,000 Iranians using fake Google certificate. Accessed: 27 October, 2015.Google Scholar
G. Keizer. Apple's OS X 'Rootpipe' patch flops, fails to fix flaw. http://www.computerworld.com/article/2912619/mac-os-x/apples-os-x-rootpipe-patch-flops-fails-to-fix-flaw.html, 2015. Accessed: September 23, 2015.Google Scholar
Keybase. https://keybase.io/. Accessed: September 23, 2015.Google Scholar
LastPass. LastPass security notice. https://blog.lastpass.com/2015/06/lastpass-security-notice.html/, 2015. Accessed: September 23, 2015.Google Scholar
C. Lesniewski-Laas and M. F. Kaashoek. SSL splitting: Securely serving data from untrusted caches. Computer Networks, 48(5):763--779, 2005. Google ScholarDigital Library
Let's Encrypt. https://letsencrypt.org/. Accessed: September 23, 2015.Google Scholar
J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, and J. Wu. When HTTPS meets CDN: A case of authentication in delegated service. In 35th IEEE Symposium on Security and Privacy, pages 67--82, 2014. Google ScholarDigital Library
LinkedIn. An update on LinkedIn member passwords compromised. http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/, 2012. Accessed: September 23, 2015.Google Scholar
S. Maffeis, J. C. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In 31st IEEE Symposium on Security and Privacy, pages 125--140. IEEE, 2010. Google ScholarDigital Library
J. Manyika and C. Roxburgh. The great transformer: The impact of the internet on economic growth and prosperity. McKinsey Global Institute report, 2011. http://www.mckinsey.com/industries/high-tech/our-insights/the-great-transformer.Google Scholar
B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. An analysis of China's "Great Cannon". In 5th USENIX Workshop on Free and Open Communications on the Internet (FOCI), 2015.Google Scholar
M. Marlinspike. SSL and the future of authenticity. Black Hat USA, 2011.Google Scholar
M. Marlinspike and T. Perrin. Trust assertions for certificate keys. Internet Draft, 2012. https://tools.ietf.org/html/draft-perrin-tls-tack-00.Google Scholar
L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In 31st IEEE Symposium on Security and Privacy, pages 481--496, 2010. Google ScholarDigital Library
M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript. http://google-caja.googlecode.com/files/caja-spec-2008-01-15.pdf, Jan. 2008.Google Scholar
I. Moiseenko. Fetching content in named data networking with embedded manifests. Technical Report NDN-0025, NDN, September 2014.Google Scholar
T. Moyer, K. Butler, J. Schiffman, P. McDaniel, and T. Jaeger. Scalable web content attestation. IEEE Transactions on Computers, 61(5):686--699, 2012. Google ScholarDigital Library
Mozilla. Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy. Accessed September 23, 2015.Google Scholar
Mozilla. SubtleCrypto. https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto. Accessed: September 23, 2015.Google Scholar
NDN Team. Named Data Networking (NDN) Project. Technical Report NDN-0001, Named Data Networking Project, Oct. 2010. http://named-data.net/wp-content/uploads/TR001ndn-proj.pdf.Google Scholar
Netflix. Netflix Open Connect. https://openconnect.netflix.com/. Accessed: September 23, 2015.Google Scholar
OWASP. OWASP top 10 project. https://www.owasp.org/index.php/Top_10_2013-Top_10, 2013. Accessed: September 23, 2015.Google Scholar
Ponemon Institute. 2015 cost of data breach study: Global analysis, May 2015. http://www-03.ibm.com/security/data-breach/.Google Scholar
L. Popa, A. Ghodsi, and I. Stoica. HTTP as the narrow waist of the future Internet. In 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, 2010. Google ScholarDigital Library
E. Rescorla. HTTP over TLS. RFC 2818, May 2000. Google ScholarDigital Library
E. Rescorla and A. Schiffman. The secure hypertext transfer protocol. RFC 2660, Nov. 1999. Google ScholarDigital Library
S. Ruoti, J. Andersen, S. Heidbrink, M. O'Neill, E. Vaziripour, J. Wu, D. Zappala, and K. Seamons. "We're on the same page": A usability study of secure email using pairs of novice users. In 34th ACM Conference on Human Factors and Computing Systems (CHI), San Jose, CA, 2016. ACM. Google ScholarDigital Library
S. Ruoti, J. Andersen, T. Hendershot, D. Zappala, and K. Seamons. Private Webmail 2.0: Simple and easy-to-use secure email. In 29th ACM User Interface Software and Technology Symposium (UIST), Tokyo, Japan, 2016. ACM. Google ScholarDigital Library
S. Ruoti, J. Andersen, T. Monson, D. Zappala, and K. Seamons. Messageguard: A browser-based platform for usable, content-based encryption research. arXiv preprint arXiv:1510.08943, 2016.Google Scholar
S. Ruoti, N. Kim, B. Burgon, T. Van Der Horst, and K. Seamons. Confused Johnny: when automatic encryption leads to confusion and mistakes. In 9th Symposium on Usable Privacy and Security (SOUPS), 2013. Google ScholarDigital Library
M. D. Ryan. Enhanced certificate transparency and end-to-end encrypted mail. In 2014 ISOC Network and Distributed System Security Symposium (NDSS). Internet Society, 2014.Google ScholarCross Ref
W. Shang, A. Afanasyev,, and L. Zhang. The design and implementation of the NDN protocol stack for RIOT-OS. Technical Report NDN-0043, NDN, July 2016.Google ScholarCross Ref
W. Shang, Y. Yu, R. Droms, and L. Zhang. Challenges in IoT networking via TCP/IP architecture. Technical Report NDN-0038, NDN, February 2016.Google Scholar
W. Shang, Y. Yu, T. Liang, B. Zhang,, and L. Zhang. NDN-ACE: Access control for constrained environments over named data networking. Technical Report NDN-0036, NDN, December 2015.Google Scholar
S. Sheng, L. Broderick, C. A. Koranda, and J. J. Hyland. Why johnny still can't encrypt: evaluating the usability of email encryption software. In 2nd Symposium On Usable Privacy and Security (SOUPS), 2006.Google Scholar
J. Silver-Greenberg, M. Goldstein, and N. Perlroth. JPMorgan Chase hacking affects 76 million households. The New York Times, 2014. http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/. Accessed: September 23, 2015.Google Scholar
K. Singh, H. J. Wang, A. Moshchuk, C. Jackson, and W. Lee. Practical end-to-end web content integrity. In 21st International World Wide Web Conference (WWW), pages 659--668, 2012. Google ScholarDigital Library
R. Sleevi and M. Watson. Web cryptography API. http://www.w3.org/TR/2014/CR-WebCryptoAPI-20141211/, 2014. Accessed: September 23, 2015.Google Scholar
C. Soghoian and S. Stamm. Certified lies: Detecting and defeating government interception attacks against SSL. In Financial Cryptography and Data Security, pages 250--259. Springer, 2012. Google ScholarDigital Library
Symantec. Symantec Internet security threat report. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf, 2008. Accessed: September 23, 2015.Google Scholar
M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. AdJail: Practical enforcement of confidentiality and integrity policies on web advertisements. In 19th USENIX Security Symposium, pages 371--388, 2010. Google ScholarDigital Library
C. Terhune. UCLA Health System data breach affects 4.5 million patients. Los Angeles Times, 2015. http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html. Accessed: September 23, 2015.Google Scholar
S. Van Acker, P. De Ryck, L. Desmet, F. Piessens, and W. Joosen. WebJail: Least-privilege integration of third-party components in web mashups. In 27th Annual Computer Security Applications Conference (ACSAC), pages 307--316, 2011. Google ScholarDigital Library
E. Vaziripour, M. O'Neill, J. Wu, S. Heidbrink, K. Seamons, and D. Zappala. Social authentication for end-to-end encryption. In 2nd Workshop on "Who Are You?! Adventures in Authentication" (WAY) at the Symposium on Usable Privacy and Security, 2016.Google Scholar
L. Wang, I. Moiseenko, and L. Zhang. NDNlive and NDNtube: Live and prerecorded video streaming over NDN, April 2015.Google Scholar
D. Wendlandt, D. G. Andersen, and A. Perrig. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX Annual Technical Conference, pages 321--334, 2008. Google ScholarDigital Library
M. West and D. Veditz. Content security policy. https://w3c.github.io/webappsec/specs/content-security-policy/, 2015. Accessed: September 23, 2015.Google Scholar
A. Whitten and J. D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In 8th USENIX Security Symposium, 1999. Google ScholarDigital Library
Y. Yu, A. Afanasyev, D. Clark, V. Jacobson, L. Zhang, et al. Schematizing trust in named data networking. In 2nd International Conference on Information-Centric Networking, pages 177--186. ACM, 2015. Google ScholarDigital Library
Y. Yu, A. Afanasyev, and L. Zhang. NDN DeLorean: An authentication system for data archives in named data networking. Technical Report NDN-0040, NDN, May 2016.Google Scholar
L. Zhang, A. Afanasyev, J. Burke, V. Jacobson, k. claffy, P. Crowley, C. Papadopoulos, L. Wang, and B. Zhang. Named Data Networking. ACM SIGCOMM Computer Communication Review (CCR), 44(3):66--73, July 2014. Google ScholarDigital Library

Index Terms

Content-based security for the web
1. Networks
  1. Network architectures
    1. Network design principles
      1. Naming and addressing
2. Security and privacy

Recommendations

Reining in the web with content security policy
WWW '10: Proceedings of the 19th international conference on World wide web

The last three years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 and 2009 saw dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (...
Read More
Security framework for web content maintenance
Read More
Fortifying web-based applications automatically
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Browser designers create security mechanisms to help web developers protect web applications, but web developers are usually slow to use these features in web-based applications (web apps). In this paper we introduce Zan, a browser-based system for ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
NSPW '16: Proceedings of the 2016 New Security Paradigms Workshop
September 2016
113 pages
ISBN:9781450348133
DOI:10.1145/3011883
General Chair:
Carrie Gates
DELL
,
Program Chairs:
Rainer Böhme
University of Innsbruck
,
Serge Egelman
University of California at Berkeley / ICSI
,
Publications Chair:
Mohammad Mannan
Concordia University
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 26 September 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
content-based security
end-to-end encryption
web security
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate62of170submissions,36%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 631
  Total Downloads
- Downloads (Last 12 months)156
- Downloads (Last 6 weeks)37
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Content-based security for the web

NSPW '16: Proceedings of the 2016 New Security Paradigms Workshop

ABSTRACT

References

Cited By

Index Terms

Recommendations

Reining in the web with content security policy

Security framework for web content maintenance

Fortifying web-based applications automatically