60 likes | 77 Vues
Explore the highlights and examples from the paper "Security vs. the Web" and join an open discussion on adding security properties to the Web without compromising its functionality. Topics include global identification, resource sharing, orthogonality, and more.
 
                
                E N D
web-key: Mashing with Permission http://waterken.sf.net/web-key/ Highlights and examples from the paper, and an open discussion
Security vs. the Web • Casualties of the username/password: • Global identification • Sharing a resource by passing a URL • Orthogonality • Hypertext can refer to a resource by URL only • Global scope • A URL means the same thing everywhere • Got us the Same Origin Policy
Security vs. the Web • … and often doesn’t actually result in the security we wanted • Loss of global identification • User revolt to “something you know” • Loss of orthogonality • Pervasive prompting => phishing • Loss of global scope • XSRF: this global identifier means something different when you use it • My Access Control List doesn’t control access?
The Web with security • What security properties can we add to the Web without breaking it and would they be useful in real applications? • A URL is a lot like a reference. • Capability-security gets its security from enforcing the properties of references. • Check the protocols and clients to see if it’s a good fit.
The Web as capability system • Referer header almost makes the Web a dynamically scoped language • Some referential integrity from HTTPS • Windowing API in the browser is hysterical • Survivable, but does require some care • Address bar shows reference bits • Can mitigate or ignore if no one’s looking
https://yurl.net/-/#kzqxsxbub4742a • Global Id, Orthogonality, Global Scope • Global id = Just click • Orthogonality = No prompting • Global scope = no XSRF • Global scope = no need for Same Origin • Global id = fine grained access for mashup