Building confederated web-based services with Priv.io

With the increasing popularity of Web-based services, users today have access to a broad range of free sites, including social networking, microblogging, and content sharing sites. In order to offer a service for free, service providers typically monetize user content, selling results to third parties such as advertisers. As a result, users have little control over their data or privacy. A number of alternative approaches to architecting today's Web-based services have been proposed, but they suffer from limitations such as relying the creation and installation of additional client-side software, providing insufficient reliability, or imposing an excessive monetary cost on users. In this paper, we present Priv.io, a new approach to building Web-based services that offers users greater control and privacy over their data. We leverage the fact that today, users can purchase storage, bandwidth, and messaging from cloud providers at fine granularity: In Priv.io, each user provides the resources necessary to support their use of the service using cloud providers such as Amazon Web Services. Users still access the service using a Web browser, all computation is done within users' browsers, and Priv.io provides rich and secure support for third-party applications. An implementation demonstrates that Priv.io works today with unmodified versions of common Web browsers on both desktop and mobile devices, is both practical and feasible, and is cheap enough for the vast majority users.

[1]  Ramón Cáceres,et al.  Confidant: Protecting OSN Data without Locking It Up , 2011, Middleware.

[2]  Michael Walfish,et al.  World Wide Web Without Walls , 2007, HotNets.

[3]  Bobby Bhattacharjee,et al.  Persona: an online social network with user-defined privacy , 2009, SIGCOMM '09.

[4]  Alon Zakai Emscripten: an LLVM-to-JavaScript compiler , 2011, OOPSLA Companion.

[5]  Saikat Guha,et al.  NOYB: privacy in online social networks , 2008, WOSN '08.

[6]  Dawn Xiaodong Song,et al.  Privilege Separation in HTML5 Applications , 2012, USENIX Security Symposium.

[7]  Alec Wolman,et al.  Lockr: social access control for web 2.0 , 2008, WOSN '08.

[8]  Ramón Cáceres,et al.  Privacy, cost, and availability tradeoffs in decentralized OSNs , 2009, WOSN '09.

[9]  Alec Wolman,et al.  Lockr: better privacy for social networks , 2009, CoNEXT '09.

[10]  Xitao Wen,et al.  Virtual browser: a virtualized browser to sandbox third-party JavaScripts with enhanced security , 2012, ASIACCS '12.

[11]  Roelof van Zwol,et al.  Flickr: Who is Looking? , 2007, Web Intelligence.

[12]  Krishna P. Gummadi,et al.  Growth of the flickr social network , 2008, WOSN '08.

[13]  Stefan Saroiu,et al.  Keeping information safe from social networking apps , 2012, WOSN '12.

[14]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[15]  Michael Walfish,et al.  Treehouse: Javascript Sandboxes to Help Web Developers Help Themselves , 2012, USENIX Annual Technical Conference.

[16]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[17]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[18]  Sonja Buchegger,et al.  PeerSoN: P2P social networking: early experiences and insights , 2009, SNS '09.

[19]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[20]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[21]  Sanjeev Kumar,et al.  Finding a Needle in Haystack: Facebook's Photo Storage , 2010, OSDI.

[22]  Yossi Matias,et al.  Suggesting friends using the implicit social graph , 2010, KDD.

[23]  Nickolai Zeldovich,et al.  Separating Web Applications from User Data Storage with BSTORE , 2010, WebApps.

[24]  Rodrigo Rodrigues,et al.  Proceedings of Hotos Ix: the 9th Workshop on Hot Topics in Operating Systems Hotos Ix: the 9th Workshop on Hot Topics in Operating Systems High Availability, Scalable Storage, Dynamic Peer Networks: Pick Two , 2022 .

[25]  Sig Porter,et al.  A password extension for improved human factors , 1982, Comput. Secur..

[26]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[27]  Gang Wang,et al.  Privacy, availability and economics in the Polaris mobile social network , 2011, HotMobile '11.

[28]  Krishna P. Gummadi,et al.  Sharing social content from home: a measurement-driven feasibility study , 2011, NOSSDAV.

[29]  Krishna P. Gummadi,et al.  Measurement and analysis of online social networks , 2007, IMC '07.

[30]  Jun Hu,et al.  Detecting and characterizing social spam campaigns , 2010, CCS '10.

[31]  Roxana Geambasu,et al.  Organizing and sharing distributed personal web-service data , 2008, WWW.

[32]  Adam Barth,et al.  Browser security , 2009, Commun. ACM.

[33]  Frank Stajano,et al.  Privacy-enabling social networking over untrusted networks , 2009, WOSN '09.

[34]  Ira Pramanick,et al.  High Availability , 2001, Int. J. High Perform. Comput. Appl..

[35]  Ramón Cáceres,et al.  Vis-à-Vis: Privacy-preserving online social networking via Virtual Individual Servers , 2011, 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011).

[36]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[37]  Krishna P. Gummadi,et al.  Measuring User Influence in Twitter: The Million Follower Fallacy , 2010, ICWSM.

[38]  Refik Molva,et al.  Safebook: A privacy-preserving online social network leveraging on real-life trust , 2009, IEEE Communications Magazine.

[39]  Mahesh Balakrishnan,et al.  Contrail: Enabling Decentralized Social Networks on Smartphones , 2011, Middleware.