论文信息 - Sessionlock: securing web sessions against eavesdropping

Sessionlock: securing web sessions against eavesdropping

Typical web sessions can be hijacked easily by a network eavesdropper in attacks that have come to be designated "sidejacking." The rise of ubiquitous wireless networks, often unprotected at the transport layer, has significantly aggravated this problem. While SSL can protect against eavesdropping, its usability disadvantages often make it unsuitable when the data is not considered highly confidential. Most web-based email services, for example, use SSL only on their login page and are thus vulnerable to sidejacking. We propose SessionLock, a simple approach to securing web sessions against eavesdropping without extending the use of SSL. SessionLock is easily implemented by web developers using only JavaScript and simple server-side logic. Its performance impact is negligible, and all major web browsers are supported. Interestingly, it is particularly easy to implement on single-page AJAX web applications, e.g. Gmail or Yahoo mail, with approximately 200 lines of JavaScript and 60 lines of server-side verification code.

Ben Adida | B. Adida

[1] Hugo Krawczyk,et al. HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[2] Lawrence C. Stewart,et al. HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[3] Whitfield Diffie,et al. New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[4] Markus Jakobsson,et al. Cache cookies for browser authentication , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5] Ben Adida,et al. Beamauth: two-factor web authentication with a bookmark , 2007, CCS '07.

[6] Helen J. Wang,et al. Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[7] Xiaoyun Wang,et al. Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[8] Tim Wright,et al. Transport Layer Security (TLS) Extensions , 2003, RFC.

[9] Roy T. Fielding,et al. Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[10] Jim Gettys. Hypertext Transport Protocol HTTP/1.1 , 2001 .

[11] Jesse James Garrett. Ajax: A New Approach to Web Applications , 2007 .