Presentation on theme: "Web-key: Mashing with Permission Highlights and examples from the paper, and an open discussion."— Presentation transcript:
web-key: Mashing with Permission http://waterken.sf.net/web-key/ Highlights and examples from the paper, and an open discussion
Security vs. the Web Casualties of the username/password: –Global identification Sharing a resource by passing a URL –Orthogonality Hypertext can refer to a resource by URL only –Global scope A URL means the same thing everywhere Got us the Same Origin Policy
Security vs. the Web … and often doesnt actually result in the security we wanted –Loss of global identification User revolt to something you know –Loss of orthogonality Pervasive prompting => phishing –Loss of global scope XSRF: this global identifier means something different when you use it –My Access Control List doesnt control access?
The Web with security What security properties can we add to the Web without breaking it and would they be useful in real applications? –A URL is a lot like a reference. –Capability-security gets its security from enforcing the properties of references. –Check the protocols and clients to see if its a good fit.
The Web as capability system Referer header almost makes the Web a dynamically scoped language Some referential integrity from HTTPS Windowing API in the browser is hysterical –Survivable, but does require some care Address bar shows reference bits –Can mitigate or ignore if no ones looking
https://yurl.net/-/#kzqxsxbub4742a Global Id, Orthogonality, Global Scope Global id = Just click Orthogonality = No prompting Global scope = no XSRF Global scope = no need for Same Origin Global id = fine grained access for mashup