The Browser as a Secure Platform for Loosely Coupled, Private-Data - - PowerPoint PPT Presentation

the browser as a secure platform
SMART_READER_LITE
LIVE PREVIEW

The Browser as a Secure Platform for Loosely Coupled, Private-Data - - PowerPoint PPT Presentation

Aug 19, 2023 560 likes •748 views

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for R esearch on C omputation and S ociety Harvard University 24 May 2007 web mashups : interesting combinations. Aggressive web 2.0

slide-1
SLIDE 1

The Browser as a Secure Platform

for Loosely Coupled, Private-Data Mashups

Ben Adida Center for Research on Computation and Society Harvard University 24 May 2007

slide-2
SLIDE 2

web mashups: interesting combinations.

slide-3
SLIDE 3

Aggressive “web 2.0” development will continue. Can we make the browser a better platform?

slide-4
SLIDE 4

Service #1 Service #2 Mashup Service

  • mashup service selects

which sources to combine.

  • all data flows through the

mashup service.

  • (most of) mashup logic
  • n the mashup server.

great for public data services

slide-5
SLIDE 5

web applications increasingly manage private data

slide-6
SLIDE 6

Service #1 Service #2 Mashup Service

  • authentication handled

independently by each service

  • no data flows through the

mashup service

  • logic runs in the browser.

more interesting for private data.

slide-7
SLIDE 7

Service #1 Service #2 Mashup Service

  • Service #2 is “injected”

into Service #1

  • loose coupling: Service #2

doesn’t necessarily know about Service #1 ahead of time.

  • using a bookmarklet or

a browser extension

slide-8
SLIDE 8

del.icio.us

slide-9
SLIDE 9
slide-10
SLIDE 10
slide-11
SLIDE 11
slide-12
SLIDE 12

Problems

  • bookmarklet runs in current page’s context

unstable API - bad for stability and security.

  • bookmarklet limited to on-the-fly downloads

vulnerable to pharming attacks.

  • extension has full control over all browsing

requires significant trust in extension!

slide-13
SLIDE 13

Suggested Enhancements

slide-14
SLIDE 14
  • 1. JavaScript Isolation

with_cleanslate { // access DOM // call standard JavaScript API // ... }

slide-15
SLIDE 15
  • 2. Fine-Grained Permissions
  • Limited Awakening: extension takes

control only when the user invokes it.

  • Limited Network Access: extension

can access only hosts on which it is invoked.

slide-16
SLIDE 16
  • 3. Metadata-Mediated Extensions

1a 1b 1c

structured data

(microformat, RDFa,...)

Service #2

  • web services contain

structured data.

  • the data type triggers

the appropriate extension.

  • the extension can contact

its own web-based service.

  • (extension may not even need

to contact 1a, 1b, 1c.)

watch for the Operator FF Extension

slide-17
SLIDE 17

Browser = Platform

  • Isolation
  • Fine-Grained Permissions
  • Structured Data for

Inter-Application Communication Enhancements are backwards-compatible with today’s web

slide-18
SLIDE 18

Questions?

http://ben.adida.net/presentations/

http://flickr.com/photos/hollywoodpoodle/373053089/