web-key: Mashing with Permission - PowerPoint PPT Presentation

1 / 6
About This Presentation
Title:

web-key: Mashing with Permission

Description:

Pervasive prompting = phishing. Loss of global scope ... Orthogonality = No prompting. Global scope = no XSRF. Global scope = no need for Same Origin ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 7
Provided by: tyler82
Category:

less

Transcript and Presenter's Notes

Title: web-key: Mashing with Permission


1
web-key Mashing with Permission
Highlights and examples from the paper, and an
open discussion
  • http//waterken.sf.net/web-key/

2
Security vs. the Web
  • Casualties of the username/password
  • Global identification
  • Sharing a resource by passing a URL
  • Orthogonality
  • Hypertext can refer to a resource by URL only
  • Global scope
  • A URL means the same thing everywhere
  • Got us the Same Origin Policy

3
Security vs. the Web
  • and often doesnt actually result in the
    security we wanted
  • Loss of global identification
  • User revolt to something you know
  • Loss of orthogonality
  • Pervasive prompting gt phishing
  • Loss of global scope
  • XSRF this global identifier means something
    different when you use it
  • My Access Control List doesnt control access?

4
The Web with security
  • What security properties can we add to the Web
    without breaking it and would they be useful in
    real applications?
  • A URL is a lot like a reference.
  • Capability-security gets its security from
    enforcing the properties of references.
  • Check the protocols and clients to see if its a
    good fit.

5
The Web as capability system
  • Referer header almost makes the Web a dynamically
    scoped language
  • Some referential integrity from HTTPS
  • Windowing API in the browser is hysterical
  • Survivable, but does require some care
  • Address bar shows reference bits
  • Can mitigate or ignore if no ones looking

6
https//yurl.net/-/kzqxsxbub4742a
  • Global Id, Orthogonality, Global Scope
  • Global id Just click
  • Orthogonality No prompting
  • Global scope no XSRF
  • Global scope no need for Same Origin
  • Global id fine grained access for mashup
Write a Comment
User Comments (0)
About PowerShow.com