- Building a Safer Web: Web Tripwires and a New Browser Architecture
Abstract:
Web content has shifted from simple documents to active programs, but web protocols and browsers have not evolved adequately to support them. As a result, safety problems in web sites and web browsers now regularly make headlines, from browser exploits to ISPs that modify web pages. In this talk, I will discuss my research into improving the security and reliability of web content and browsers.For most of this talk, I will focus on one particular problem: the ability for intermediaries to modify web content in-flight. Our recent measurement study shows that many clients now receive web pages that have been altered before reaching the browser. The changes range from injected advertisements to popup blocking code to malware, often affecting the user's privacy and security. Some of these changes introduce bugs and even vulnerabilities into the pages they modify. Most sites are unwilling to switch to SSL for reasons of cost and performance, so I will show how web servers can use "web tripwires" to detect in-flight page changes with inexpensive JavaScript code.
After this, I will talk more broadly about my research on web browser security, focusing on the deficiencies of today's web as an application platform. Starting from my prior work on BrowserShield, I will show how we need a safer architecture for running programs within the browser. Like an operating system, this new architecture will need effective mechanisms to define, isolate, and enforce policies on these web programs.
- Berkeley TRUST Seminar. May 8, 2008.
- Stanford
EE 380 Colloquium. March 12, 2008.
[Windows Media video] - Google Tech Talk, Mountain View, CA. March 10, 2008.
[YouTube video] - Google Tech Talk, Kirkland, WA. January 17, 2008.
- Amazon Developer Conference, Seattle, WA. January 16, 2008.