1 / 12

CSCE 201 Web Browser Security Fall 2010

CSCE 201 Web Browser Security Fall 2010. Web Evolution. Past: Human usage HTTP Static Web pages (HTML) Current: Human and some automated usage Interactive Web pages Web Services (WSDL, SOAP, SAML) Semantic Web (RDF, OWL, RuleML, Web databases)

colby-church
Télécharger la présentation

CSCE 201 Web Browser Security Fall 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 201Web Browser SecurityFall 2010

  2. Web Evolution • Past: Human usage • HTTP • Static Web pages (HTML) • Current: Human and some automated usage • Interactive Web pages • Web Services (WSDL, SOAP, SAML) • Semantic Web (RDF, OWL, RuleML, Web databases) • XML technology (data exchange, data representation) • Future: Semantic Web Services 2

  3. ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB? 3

  4. Fraud Information hiding Privacy Negotiation Protocol Analysis Access control Applications Data provenance Biometrics Semantic web security Security Trust Data mining Encryption Computer epidemic Anonymity Policy making Formal models Inference Control Information Assurance

  5. Internet Attacks • Download browser code • Privacy attack • Web site attack during surfing • Email

  6. Download browser code Internet Download HTML document With JavaScript HTML document With JavaScript Run JavaScript Web Server User’s computer JavaScript, Java, ActiveX

  7. JavaScript • Not for standalone applications -- Resides inside HTML documents • Interpreted into machine understandable code • Can be downloaded automatically • Cannot read, write, create, delete, or list files • Has no networking capabilities • Can: capture and send user information

  8. Java • Complete programming language – standalone applications • Java applets: downloaded with HTML • Can perform processing • May harm computer • Defense: sandbox • Signed vs. unsigned Java applets

  9. ActiveX • Rules defining how applications under the Windows OS should share information • ActiveX controls (ad-ons): • Specific ways of implementing ActiveX • Can be activated through scripting languages or by HTML commands • Can perform functions similar to Java applets but directly access OS • Signed vs. unsigned

  10. Privacy Attacks • Cookies: Web site to track whether a user has previously visited the site • User specific information, stored on the user’s computer • First-party cookie vs. third-party cookie • Can reveal browsing habits of the individuals • Adware: delivers unsolicitated advertising content • Pop-up windows

  11. Attacks while surfing • Safe surfing? Passive surfing? • Redirecting web traffic: • Typing mistakes • Attacker: registering “wrong” URLs • Drive-by downloads • Use scripting to download malicious content • Spreading at an alarming rate

  12. Internet Defenses • Popup blocker • Browser settings, e.g., IE Web browser: • Advanced security settings • Security zones • Restricting cookies

More Related