ABSTRACT
The World Wide Web has become the most common platform for building applications and delivering content. Yet despite years of research, the web continues to face severe security challenges related to data integrity and confidentiality. Rather than continuing the exploit-and-patch cycle, we propose addressing these challenges at an architectural level, by supplementing the web's existing connection-based and server-based security models with a new approach: content-based security. With this approach, content is directly signed and encrypted at rest, enabling it to be delivered via any path and then validated by the browser. We explore how this new architectural approach can be applied to the web and analyze its security benefits. We then discuss a broad research agenda to realize this vision and the challenges that must be overcome.
- D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In 22nd ACM Conference on Computer and Communications Security (CCS), Oct. 2015. Google ScholarDigital Library
- Akamai. Akamai website. https://www.akamai.com/. Accessed: September 23, 2015.Google Scholar
- D. Akhawe, F. Braun, F. Marier, and J. Weinberger. Subresource integrity. http://www.w3.org/TR/2015/WD-SRI-20150916/, Sept. 2015. Accessed: September 23, 2015.Google Scholar
- J. Angwin, J. Larson, C. Savage, J. Risen, H. Moltke, and L. Poitras. NSA spying relies on AT&T's 'extreme willingness to help'. https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help, 2015. Accessed: September 18, 2015.Google Scholar
- Anthem. Statement regarding cyber attack against Anthem. https://www.anthem.com/health-insurance/about-us/pressreleasedetails/WI/2015/1813/statement-regarding-cyber-attack-against-anthem, 2015. Accessed: September 23, 2015.Google Scholar
- N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt. DROWN: Breaking TLS with SSLv2. In 25th USENIX Security Symposium, Aug. 2016.Google Scholar
- C. Babcock. 'Let's Encrypt' will try to secure the Internet. Information Week, 2015.Google Scholar
- M. Backes, R. Gerling, S. Gerling, S. Nürnberger, D. Schröder, and M. Simkin. WebTrust---a comprehensive authenticity and integrity framework for HTTP. In 12th International Conference on Applied Cryptography and Network Security (ACNS), volume 8479, pages 401--418, 2014.Google ScholarCross Ref
- R. Barnes. DANE: Taking TLS authentication to the next level using DNSSEC. IETF Journal, 2011.Google Scholar
- R. Barnes. Use cases and requirements for JSON object signing and encryption (JOSE). RFC 7165, 2014.Google Scholar
- A. Barth. The web origin concept. RFC 6454, Dec. 2011.Google Scholar
- B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In 36th IEEE Symposium on Security and Privacy, pages 535--552, 2015. Google ScholarDigital Library
- J. Burke, A. Horn, and A. Marianantoni. Authenticated lighting control using named data networking. Technical Report NDN-0011, NDN, October 2012.Google Scholar
- B. Carpenter and S. Brim. Middleboxes: Taxonomy and issues. RFC 3234, Feb. 2002. Google ScholarDigital Library
- T. Choi and M. G. Gouda. HTTPI: An HTTP with integrity. In 20th International Conference on Computer Communications and Networks (ICCCN), 2011.Google ScholarCross Ref
- S. Christey and R. A. Martin. Vulnerability type distributions in CVE. https://cwe.mitre.org/documents/vuln-trends/index.html, 2007. Accessed: September 23, 2015.Google Scholar
- Cisco. Cisco visual networking index: Forecast and methodology, 2014--2019. White Paper http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ip-ngn-ip-next-generation-network/white_paper_c11-481360.html, 2015. Accessed: September 23, 2015.Google Scholar
- CloudFlare. CloudFlare one-click SSL. https://www.cloudflare.com/ssl. Accessed: September 23, 2015.Google Scholar
- CloudFlare. CloudFlare website. https://www.cloudflare.com/. Accessed: September 23, 2015.Google Scholar
- D. Crockford. Adsafe. http://www.adsafe.org/.Google Scholar
- W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. Flowfox: a web browser with flexible and precise information flow control. In 19th ACM Conference on Computer and Communications Security (CCS), pages 748--759. ACM, 2012. Google ScholarDigital Library
- J. B. Dennis and E. C. Van Horn. Programming semantics for multiprogrammed computations. Communications of the ACM, 9(3):143--155, 1966. Google ScholarDigital Library
- Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS certificate ecosystem. In 13th ACM Internet Measurement Conference (IMC), 2013. Google ScholarDigital Library
- Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. The matter of Heartbleed. In 14th ACM Internet Measurement Conference (IMC), 2015. Google ScholarDigital Library
- P. Eckersley and J. Burns. The (decentralized) SSL observatory. Invited talk at 20th USENIX Security Symposium, 2011.Google Scholar
- C. Evans and C. Palmer. Certificate pinning extension for HSTS. http://tools.ietf.org/html/draft-evans-palmer-hsts-pinning-00. Accessed: March 22, 2013.Google Scholar
- C. Gaspard, S. Goldberg, W. Itani, E. Bertino, and C. Nita-Rotaru. SINE: Cache-friendly integrity for the web. In 5th IEEE Workshop on Secure Network Protocols (NPSec), pages 7--12, 2009.Google ScholarCross Ref
- J. Gionta, P. Ning, and X. Zhang. iHTTP: Efficient authentication of non-confidential HTTP traffic. In 10th International Conference on Applied Cryptography and Network Security, pages 381--399, 2012. Google ScholarDigital Library
- D. Grandon. Ashley Madison, a dating website, says hackers may have data on millions. http://www.nytimes.com/2015/07/21/technology/hacker-attack-reported-on-ashley-madison-a-dating-service.html, 2015. Accessed: September 23, 2015.Google Scholar
- W. He, D. Akhawe, S. Jain, E. Shi, and D. Song. ShadowCrypt: Encrypted web applications for everyone. In 21st ACM Conference on Computer and Communications Security (CCS), pages 1028--1039, 2014. Google ScholarDigital Library
- I. Hickson. HTML5 web messaging. http://www.w3.org/TR/2015/REC-webmessaging-20150519/. Accessed September 23, 2015.Google Scholar
- P. Hoffman and J. Schlyter. The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. RFC 6698, 2012.Google Scholar
- L. Ingram and M. Walfish. TreeHouse: JavaScript sandboxes to help web developers help themselves. In 2012 USENIX Annual Technical Conference. USENIX Association, 2012. Google ScholarDigital Library
- C. Jackson and A. Barth. Beware of finer-grained origins. In Web 2.0 Security and Privacy (W2SP), 2008.Google Scholar
- V. Jacobson. A new way to look at networking. https://www.youtube.com/watch?v=oCZMoY3q2uM, 2006.Google Scholar
- V. Jacobson, D. K. Smetters, J. D. Thornton, M. F. Plass, N. H. Briggs, and R. L. Braynard. Networking named content. In 5th ACM International Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2009. Google ScholarDigital Library
- G. Keizer. Hackers spied on 300,000 Iranians using fake Google certificate. Accessed: 27 October, 2015.Google Scholar
- G. Keizer. Apple's OS X 'Rootpipe' patch flops, fails to fix flaw. http://www.computerworld.com/article/2912619/mac-os-x/apples-os-x-rootpipe-patch-flops-fails-to-fix-flaw.html, 2015. Accessed: September 23, 2015.Google Scholar
- Keybase. https://keybase.io/. Accessed: September 23, 2015.Google Scholar
- LastPass. LastPass security notice. https://blog.lastpass.com/2015/06/lastpass-security-notice.html/, 2015. Accessed: September 23, 2015.Google Scholar
- C. Lesniewski-Laas and M. F. Kaashoek. SSL splitting: Securely serving data from untrusted caches. Computer Networks, 48(5):763--779, 2005. Google ScholarDigital Library
- Let's Encrypt. https://letsencrypt.org/. Accessed: September 23, 2015.Google Scholar
- J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, and J. Wu. When HTTPS meets CDN: A case of authentication in delegated service. In 35th IEEE Symposium on Security and Privacy, pages 67--82, 2014. Google ScholarDigital Library
- LinkedIn. An update on LinkedIn member passwords compromised. http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/, 2012. Accessed: September 23, 2015.Google Scholar
- S. Maffeis, J. C. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In 31st IEEE Symposium on Security and Privacy, pages 125--140. IEEE, 2010. Google ScholarDigital Library
- J. Manyika and C. Roxburgh. The great transformer: The impact of the internet on economic growth and prosperity. McKinsey Global Institute report, 2011. http://www.mckinsey.com/industries/high-tech/our-insights/the-great-transformer.Google Scholar
- B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. An analysis of China's "Great Cannon". In 5th USENIX Workshop on Free and Open Communications on the Internet (FOCI), 2015.Google Scholar
- M. Marlinspike. SSL and the future of authenticity. Black Hat USA, 2011.Google Scholar
- M. Marlinspike and T. Perrin. Trust assertions for certificate keys. Internet Draft, 2012. https://tools.ietf.org/html/draft-perrin-tls-tack-00.Google Scholar
- L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In 31st IEEE Symposium on Security and Privacy, pages 481--496, 2010. Google ScholarDigital Library
- M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript. http://google-caja.googlecode.com/files/caja-spec-2008-01-15.pdf, Jan. 2008.Google Scholar
- I. Moiseenko. Fetching content in named data networking with embedded manifests. Technical Report NDN-0025, NDN, September 2014.Google Scholar
- T. Moyer, K. Butler, J. Schiffman, P. McDaniel, and T. Jaeger. Scalable web content attestation. IEEE Transactions on Computers, 61(5):686--699, 2012. Google ScholarDigital Library
- Mozilla. Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy. Accessed September 23, 2015.Google Scholar
- Mozilla. SubtleCrypto. https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto. Accessed: September 23, 2015.Google Scholar
- NDN Team. Named Data Networking (NDN) Project. Technical Report NDN-0001, Named Data Networking Project, Oct. 2010. http://named-data.net/wp-content/uploads/TR001ndn-proj.pdf.Google Scholar
- Netflix. Netflix Open Connect. https://openconnect.netflix.com/. Accessed: September 23, 2015.Google Scholar
- OWASP. OWASP top 10 project. https://www.owasp.org/index.php/Top_10_2013-Top_10, 2013. Accessed: September 23, 2015.Google Scholar
- Ponemon Institute. 2015 cost of data breach study: Global analysis, May 2015. http://www-03.ibm.com/security/data-breach/.Google Scholar
- L. Popa, A. Ghodsi, and I. Stoica. HTTP as the narrow waist of the future Internet. In 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, 2010. Google ScholarDigital Library
- E. Rescorla. HTTP over TLS. RFC 2818, May 2000. Google ScholarDigital Library
- E. Rescorla and A. Schiffman. The secure hypertext transfer protocol. RFC 2660, Nov. 1999. Google ScholarDigital Library
- S. Ruoti, J. Andersen, S. Heidbrink, M. O'Neill, E. Vaziripour, J. Wu, D. Zappala, and K. Seamons. "We're on the same page": A usability study of secure email using pairs of novice users. In 34th ACM Conference on Human Factors and Computing Systems (CHI), San Jose, CA, 2016. ACM. Google ScholarDigital Library
- S. Ruoti, J. Andersen, T. Hendershot, D. Zappala, and K. Seamons. Private Webmail 2.0: Simple and easy-to-use secure email. In 29th ACM User Interface Software and Technology Symposium (UIST), Tokyo, Japan, 2016. ACM. Google ScholarDigital Library
- S. Ruoti, J. Andersen, T. Monson, D. Zappala, and K. Seamons. Messageguard: A browser-based platform for usable, content-based encryption research. arXiv preprint arXiv:1510.08943, 2016.Google Scholar
- S. Ruoti, N. Kim, B. Burgon, T. Van Der Horst, and K. Seamons. Confused Johnny: when automatic encryption leads to confusion and mistakes. In 9th Symposium on Usable Privacy and Security (SOUPS), 2013. Google ScholarDigital Library
- M. D. Ryan. Enhanced certificate transparency and end-to-end encrypted mail. In 2014 ISOC Network and Distributed System Security Symposium (NDSS). Internet Society, 2014.Google ScholarCross Ref
- W. Shang, A. Afanasyev,, and L. Zhang. The design and implementation of the NDN protocol stack for RIOT-OS. Technical Report NDN-0043, NDN, July 2016.Google ScholarCross Ref
- W. Shang, Y. Yu, R. Droms, and L. Zhang. Challenges in IoT networking via TCP/IP architecture. Technical Report NDN-0038, NDN, February 2016.Google Scholar
- W. Shang, Y. Yu, T. Liang, B. Zhang,, and L. Zhang. NDN-ACE: Access control for constrained environments over named data networking. Technical Report NDN-0036, NDN, December 2015.Google Scholar
- S. Sheng, L. Broderick, C. A. Koranda, and J. J. Hyland. Why johnny still can't encrypt: evaluating the usability of email encryption software. In 2nd Symposium On Usable Privacy and Security (SOUPS), 2006.Google Scholar
- J. Silver-Greenberg, M. Goldstein, and N. Perlroth. JPMorgan Chase hacking affects 76 million households. The New York Times, 2014. http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/. Accessed: September 23, 2015.Google Scholar
- K. Singh, H. J. Wang, A. Moshchuk, C. Jackson, and W. Lee. Practical end-to-end web content integrity. In 21st International World Wide Web Conference (WWW), pages 659--668, 2012. Google ScholarDigital Library
- R. Sleevi and M. Watson. Web cryptography API. http://www.w3.org/TR/2014/CR-WebCryptoAPI-20141211/, 2014. Accessed: September 23, 2015.Google Scholar
- C. Soghoian and S. Stamm. Certified lies: Detecting and defeating government interception attacks against SSL. In Financial Cryptography and Data Security, pages 250--259. Springer, 2012. Google ScholarDigital Library
- Symantec. Symantec Internet security threat report. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf, 2008. Accessed: September 23, 2015.Google Scholar
- M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. AdJail: Practical enforcement of confidentiality and integrity policies on web advertisements. In 19th USENIX Security Symposium, pages 371--388, 2010. Google ScholarDigital Library
- C. Terhune. UCLA Health System data breach affects 4.5 million patients. Los Angeles Times, 2015. http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html. Accessed: September 23, 2015.Google Scholar
- S. Van Acker, P. De Ryck, L. Desmet, F. Piessens, and W. Joosen. WebJail: Least-privilege integration of third-party components in web mashups. In 27th Annual Computer Security Applications Conference (ACSAC), pages 307--316, 2011. Google ScholarDigital Library
- E. Vaziripour, M. O'Neill, J. Wu, S. Heidbrink, K. Seamons, and D. Zappala. Social authentication for end-to-end encryption. In 2nd Workshop on "Who Are You?! Adventures in Authentication" (WAY) at the Symposium on Usable Privacy and Security, 2016.Google Scholar
- L. Wang, I. Moiseenko, and L. Zhang. NDNlive and NDNtube: Live and prerecorded video streaming over NDN, April 2015.Google Scholar
- D. Wendlandt, D. G. Andersen, and A. Perrig. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX Annual Technical Conference, pages 321--334, 2008. Google ScholarDigital Library
- M. West and D. Veditz. Content security policy. https://w3c.github.io/webappsec/specs/content-security-policy/, 2015. Accessed: September 23, 2015.Google Scholar
- A. Whitten and J. D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In 8th USENIX Security Symposium, 1999. Google ScholarDigital Library
- Y. Yu, A. Afanasyev, D. Clark, V. Jacobson, L. Zhang, et al. Schematizing trust in named data networking. In 2nd International Conference on Information-Centric Networking, pages 177--186. ACM, 2015. Google ScholarDigital Library
- Y. Yu, A. Afanasyev, and L. Zhang. NDN DeLorean: An authentication system for data archives in named data networking. Technical Report NDN-0040, NDN, May 2016.Google Scholar
- L. Zhang, A. Afanasyev, J. Burke, V. Jacobson, k. claffy, P. Crowley, C. Papadopoulos, L. Wang, and B. Zhang. Named Data Networking. ACM SIGCOMM Computer Communication Review (CCR), 44(3):66--73, July 2014. Google ScholarDigital Library
Index Terms
- Content-based security for the web
Recommendations
Reining in the web with content security policy
WWW '10: Proceedings of the 19th international conference on World wide webThe last three years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 and 2009 saw dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (...
Fortifying web-based applications automatically
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityBrowser designers create security mechanisms to help web developers protect web applications, but web developers are usually slow to use these features in web-based applications (web apps). In this paper we introduce Zan, a browser-based system for ...
Comments