bei Google ScholarTitelangaben
Roth, Sebastian ; Calzavara, Stefano ; Wilhelm, Moritz ; Rabitti, Alvise ; Stock, Ben:
The Security Lottery : Measuring Client-Side Web Security Inconsistencies.
2022
Veranstaltung: 31st USENIX Security Symposium
, 10.-12.08.2022
, Boston, MA.
(Veranstaltungsbeitrag: Kongress/Konferenz/Symposium/Tagung
,
Paper
)
Abstract
To mitigate a myriad of Web attacks, modern browsers support client-side security policies shipped through HTTP response headers. To enforce these defenses, the servers need to communicate them to the client, a seemingly straightforward process. However, users may access the same site in variegate ways, e.g., using different User-Agents, network access methods, or language settings. All these usage scenarios should enforce the same security policies, otherwise a security lottery would take place: depending on specific client characteristics, different levels of Web application security would be provided to users (inconsistencies). We formalize security guarantees provided through four popular mechanisms and apply this to measure the prevalence of inconsistencies in the security policies of top sites across different client characteristics. Based on our insights, we investigate the security implications of both deterministic and non-deterministic inconsistencies, and show how even prominent services are affected by them.
Weitere Angaben
| Publikationsform: | Veranstaltungsbeitrag (Paper) |
|---|---|
| Begutachteter Beitrag: | Ja |
| Institutionen der Universität: | Fakultäten > Fakultät für Mathematik, Physik und Informatik Fakultäten > Fakultät für Mathematik, Physik und Informatik > Institut für Informatik |
| Titel an der UBT entstanden: | Nein |
| Themengebiete aus DDC: | 000 Informatik,Informationswissenschaft, allgemeine Werke 000 Informatik,Informationswissenschaft, allgemeine Werke > 004 Informatik |
| Eingestellt am: | 20 Jan 2025 09:06 |
| Letzte Änderung: | 20 Jan 2025 09:06 |
| URI: | https://eref.uni-bayreuth.de/id/eprint/91463 |