Web Security

Sort By:

Go Static or Go Home:
In the end, dynamic systems are simply less secure.

Most current and historic problems in computer and network security boil down to a single observation: letting other people control our devices is bad for us. At another time, I’ll explain what I mean by "other people" and "bad." For the purpose of this article, I’ll focus entirely on what I mean by control. One way we lose control of our devices is to external distributed denial of service (DDoS) attacks, which fill a network with unwanted traffic, leaving no room for real ("wanted") traffic. Other forms of DDoS are similar: an attack by the Low Orbit Ion Cannon (LOIC), for example, might not totally fill up a network, but it can keep a web server so busy answering useless attack requests that the server can’t answer any useful customer requests.

by Paul Vixie | January 14, 2015


Security Collapse in the HTTPS Market:
Assessing legal and technical solutions to secure HTTPS

HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online.

by Axel Arnbak, Hadi Asghari, Michel Van Eeten, Nico Van Eijk | September 23, 2014


Why Is It Taking So Long to Secure Internet Routing?:
Routing security incidents can still slip past deployed security defenses.

BGP (Border Gateway Protocol) is the glue that sticks the Internet together, enabling data communications between large networks operated by different organizations. BGP makes Internet communications global by setting up routes for traffic between organizations - for example, from Boston University’s network, through larger ISPs (Internet service providers) such as Level3, Pakistan Telecom, and China Telecom, then on to residential networks such as Comcast or enterprise networks such as Bank of America.

by Sharon Goldberg | September 11, 2014


Certificate Transparency:
Public, verifiable, append-only logs

On August 28, 2011, a mis-issued wildcard HTTPS certificate for google.com was used to conduct a man-in-the-middle attack against multiple users in Iran. The certificate had been issued by a Dutch CA (certificate authority) known as DigiNotar, a subsidiary of VASCO Data Security International. Later analysis showed that DigiNotar had been aware of the breach in its systems for more than a month - since at least July 19. It also showed that at least 531 fraudulent certificates had been issued. The final count may never be known, since DigiNotar did not have records of all the mis-issued certificates.

by Ben Laurie | September 8, 2014


Securing the Tangled Web:
Preventing script injection vulnerabilities through software design

Script injection vulnerabilities are a bane of Web application development: deceptively simple in cause and remedy, they are nevertheless surprisingly difficult to prevent in large-scale Web development.

by Christoph Kern | August 25, 2014


Splinternet Behind the Great Firewall of China:
Once China opened its door to the world, it could not close it again.

What if you could not access YouTube, Facebook, Twitter, and Wikipedia? How would you feel if Google informed you that your connection had been reset during a search? What if Gmail was only periodically available, and Google Docs, which was used to compose this article, was completely unreachable? What a mess!

by Daniel Anderson | November 30, 2012


Browser Security Case Study: Appearances Can Be Deceiving:
A discussion with Jeremiah Grossman, Ben Livshits, Rebecca Bace, and George Neville-Neil

It seems every day we learn of some new security breach. It’s all there for the taking on the Internet: more and more sensitive data every second. As for privacy, we Facebook, we Google, we bank online, we shop online, we invest online& we put it all out there. And just how well protected is all that personally identifiable information? Not very.

by Jeremiah Grossman, Ben Livshits, Rebecca Bace, George Neville-Neil | November 20, 2012


The Web Won’t Be Safe or Secure until We Break It:
Unless you’ve taken very particular precautions, assume every Web site you visit knows exactly who you are.

The Internet was designed to deliver information, but few people envisioned the vast amounts of information that would be involved or the personal nature of that information. Similarly, few could have foreseen the potential flaws in the design of the Internet that would expose this personal information, compromising the data of individuals and companies.

by Jeremiah Grossman | November 6, 2012


CTO Roundtable: Malware Defense Overview:
Key points from ACM’s CTO Roundtable on malware defense

The Internet has enabled malware to progress to a much broader distribution model and is experiencing a huge explosion of individual threats. There are automated tools that find vulnerable sites, attack them, and turn them into distribution sites. As commerce and the business of daily living migrate online, attacks to leverage information assets for ill-gotten benefit have increased dramatically. Security professionals are seeing more sophisticated and innovative profit models on par with business models seen in the legitimate world.

by Mache Creeger | February 25, 2010


CTO Roundtable: Malware Defense:
The battle is bigger than most of us realize.

As all manner of information assets migrate online, malware has kept on track to become a huge source of individual threats. In a continuously evolving game of cat and mouse, as security professionals close off points of access, attackers develop more sophisticated attacks. Today profit models from malware are comparable to any seen in the legitimate world.

by Mache Creeger | February 24, 2010


Browser Security: Lessons from Google Chrome:
Google Chrome developers focused on three key problems to shield the browser from attacks.

The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a security challenge: malicious Web-site operators can attack users through their Web browsers. Browsers face the challenge of keeping their users safe while providing a rich platform for Web applications.

by Charles Reis, Adam Barth, Carlos Pizano | June 18, 2009


Cybercrime 2.0: When the Cloud Turns Dark:
Web-based malware attacks are more insidious than ever. What can be done to stem the tide?

As the Web has become vital for day-to-day transactions, it has also become an attractive avenue for cybercrime. Financially motivated, the crime we see on the Web today is quite different from the more traditional network attacks. A few years ago Internet attackers relied heavily on remotely exploiting servers identified by scanning the Internet for vulnerable network services. Autonomously spreading computer worms such as Code Red and SQLSlammer were examples of such scanning attacks. Their huge scale put even the Internet at large at risk; for example, SQLSlammer generated traffic sufficient to melt down backbones.

by Niels Provos, Moheeb Abu Rajab, Panayiotis Mavrommatis | March 20, 2009


Security in the Browser:
Web browsers leave users vulnerable to an ever-growing number of attacks. Can we make them secure while preserving their usability?

Sealed in a depleted uranium sphere at the bottom of the ocean. That’s the often-mentioned description of what it takes to make a computer reasonably secure. Obviously, in the Internet age or any other, such a machine would be fairly useless.

by Thomas Wadlow, Vlad Gorelik | March 16, 2009


Playing for Keeps:
Will security threats bring an end to general-purpose computing?

Inflection points come at you without warning and quickly recede out of reach. We may be nearing one now. If so, we are now about to play for keeps, and “we” doesn’t mean just us security geeks. If anything, it’s because we security geeks have not worked the necessary miracles already that an inflection point seems to be approaching at high velocity.

by Daniel E. Geer | November 10, 2006


Criminal Code: The Making of a Cybercriminal:
A fictional account of malware creators and their experiences

This is a fictional account of malware creators and their experiences. Although the characters are made up, the techniques and events are patterned on real activities of many different groups developing malicious software. “Make some money!” Misha’s father shouted. “You spent all that time for a stupid contest and where did it get you? Nowhere! You have no job and you didn’t even win! You need to stop playing silly computer games and earn some money!”

by Thomas Wadlow, Vlad Gorelik | November 10, 2006


Cybercrime: An Epidemic:
Who commits these crimes, and what are their motivations?

Painted in the broadest of strokes, cybercrime essentially is the leveraging of information systems and technology to commit larceny, extortion, identity theft, fraud, and, in some cases, corporate espionage. Who are the miscreants who commit these crimes, and what are their motivations? One might imagine they are not the same individuals committing crimes in the physical world. Bank robbers and scam artists garner a certain public notoriety after only a few occurrences of their crimes, yet cybercriminals largely remain invisible and unheralded. Based on sketchy news accounts and a few public arrests, such as Mafiaboy, accused of paralyzing Amazon, CNN, and other Web sites, the public may infer these miscreants are merely a subculture of teenagers.

by Team Cymru | November 10, 2006


Phishing for Solutions:
Re: phishing, doesn’t the URL already give away enough information?

Dear KV, I noticed you covered cross-site scripting a few issues back, and I’m wondering if you have any advice on another Web problem, phishing. I work at a large financial institution and every time we roll out a new service, the security team comes down on us because either the login page looks different or they claim that it’s easy to phish information from our users using one of our forms. It’s not like we want our users to be phished, but I don’t think it’s a technical problem. Our users are just stupid and give away their information to anyone who seems willing to put up a reasonable fake of one of our pages.

by George Neville-Neil | June 30, 2006


Vicious XSS:
For readers who doubt the relevance of KV’s advice, witness the XSS attack that befell MySpace in October.

For readers who doubt the relevance of KV’s advice, witness the XSS attack that befell MySpace in October. This month Kode Vicious addresses just this sort of XSS attack. It’s a good thing cross-site scripting is not abbreviated CSS, as the MySpace hacker used CSS to perpetrate his XSS attack. That would have made for one confusing story, eh?

by George Neville-Neil | January 31, 2006


Lack of Priority Queuing Considered Harmful:
We’re in sore need of critical Internet infrastructure protection.

Most modern routers consist of several line cards that perform packet lookup and forwarding, all controlled by a control plane that acts as the brain of the router, performing essential tasks such as management functions, error reporting, control functions including route calculations, and adjacency maintenance. This control plane has many names; in this article it is the route processor, or RP. The route processor calculates the forwarding table and downloads it to the line cards using a control-plane bus. The line cards perform the actual packet lookup and forwarding.

by Vijay Gill | December 6, 2004


Network Forensics:
Good detective work means paying attention before, during, and after the attack.

The dictionary defines forensics as “the use of science and technology to investigate and establish facts in criminal or civil courts of law.” I am more interested, however, in the usage common in the computer world: using evidence remaining after an attack on a computer to determine how the attack was carried out and what the attacker did. The standard approach to forensics is to see what can be retrieved after an attack has been made, but this leaves a lot to be desired. The first and most obvious problem is that successful attackers often go to great lengths to ensure that they cover their trails.

by Ben Laurie | August 31, 2004


Blaster Revisited:
A second look at the cost of Blaster sheds new light on today’s blended threats.

What lessons can we learn from the carnage the Blaster worm created? The following tale is based upon actual circumstances from corporate enterprises that were faced with confronting and eradicating the Blaster worm, which hit in August 2003. The story provides views from many perspectives, illustrating the complexity and sophistication needed to combat new blended threats.

by Jim Morrison | August 31, 2004