ADMISSIONS| ACADEMICS| SWARTHMORE

Talk by Matt Van Gundy, Computer Security Lab at UC Davis

Web Application Security and Deniability: Ensuring Privacy in the Online Era
Monday, February 22, 2011
SCI 240, 4:00 pm (refreshments at 3:45)

Abstract

The proliferation of online services has introduced new threats to personal privacy. Though cryptography has yielded significant improvements in the security of electronic communication, problems remain. Application-level bugs can be used to circumvent cryptographic guarantees, and the context-dependent nature of security concerns can cause cryptographic properties that are desirable in one setting to be detrimental in another setting.

In this talk, we will discuss two relevant problems in computer security: protecting web applications from cross-site scripting vulnerabilities and deniable communication. Cross-site scripting (XSS) vulnerabilities are among the most common and serious web application vulnerabilities. They allow an attacker to circumvent the cryptographic guarantees of the HTTPS protocol to steal the secrets of or take unauthorized action on behalf of unsuspecting web users. Our solution, Noncespaces, provides an end-to-end defense against cross-site scripting attacks. A deniable communication system allows individuals to deny having made statements which they may have made in a confidential conversation. Deniability is important to many individuals such as informants and dissidents. However, deniability conflicts with the guarantees provided by common cryptographic protocols for private communication. Our protocol, Multiparty Off-The-Record Messaging, extends the state of the art by preserving deniability for confidential group conversations of arbitrary size.