ERef Bayreuth

Anmelden

Literatur vom gleichen Autor/der gleichen Autor*in

bei Google Scholar

Bibliografische Daten exportieren

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Titelangaben

Roth, Sebastian ; Barron, Timothy ; Calzavara, Stefano ; Nikiforakis, Nick ; Stock, Ben:
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies.
2020
Veranstaltung: Network and Distributed System Security Symposium (NDSS) , 23.-26.02.2020 , San Diego, CA.
(Veranstaltungsbeitrag: Kongress/Konferenz/Symposium/Tagung , Paper )
DOI: https://doi.org/10.14722/ndss.2020.23046

Abstract

The Content Security Policy (CSP) mechanism was developed as a mitigation against script injection attacks in 2010. In this paper, we leverage the unique vantage point of the Internet Archive to conduct a historical and longitudinal analysis of how CSP deployment has evolved for a set of 10,000 highly ranked domains. In doing so, we document the long- term struggle site operators face when trying to roll out CSP for content restriction and highlight that even seemingly secure whitelists can be bypassed through expired or typo domains. Next to these new insights, we also shed light on the usage of CSP for other use cases, in particular, TLS enforcement and framing control. Here, we find that CSP can be easily deployed to fit those security scenarios, but both lack wide-spread adoption. Specifically, while the underspecified and thus inconsistently implemented X-Frame-Options header is increasingly used on the Web, CSP’s well-specified and secure alternative cannot keep up. To understand the reasons behind this, we run a notification campaign and subsequent survey, concluding that operators have often experienced the complexity of CSP (and given up), utterly unaware of the easy-to-deploy components of CSP. Hence, we find the complexity of secure, yet functional content restriction gives CSP a bad reputation, resulting in operators not leveraging its potential to secure a site against the non-original attack vectors.

Weitere Angaben

Publikationsform:	Veranstaltungsbeitrag (Paper)
Begutachteter Beitrag:	Ja
Institutionen der Universität:	Fakultäten > Fakultät für Mathematik, Physik und Informatik Fakultäten > Fakultät für Mathematik, Physik und Informatik > Institut für Informatik
Titel an der UBT entstanden:	Nein
Themengebiete aus DDC:	000 Informatik,Informationswissenschaft, allgemeine Werke 000 Informatik,Informationswissenschaft, allgemeine Werke > 004 Informatik
Eingestellt am:	20 Jan 2025 11:46
Letzte Änderung:	20 Jan 2025 11:46
URI:	https://eref.uni-bayreuth.de/id/eprint/91468