Logo des Repositoriums

Auflistung nach Schlagwort "web security"

1 - 2 von 2
  • Zeitschriftenartikel
    Privacy-preserving Web single sign-on: Formal security analysis and design
    (it - Information Technology: Vol. 64, No. 1-2, 2022) Schmitz, Guido
    Single sign-on (SSO) systems, such as OpenID and OAuth, allow Web sites to delegate user authentication to third parties, such as Facebook or Google. These systems provide a convenient mechanism for users to log in and ease the burden of user authentication for Web sites. Conversely, by integrating such SSO systems, they become a crucial part of the security of the modern Web. So far, it has been hard to prove if Web standards and protocols actually meet their security goals. SSO systems, in particular, need to satisfy strong security and privacy properties. In this thesis, we develop a new systematic approach to rigorously and formally analyze and verify such strong properties with the Web Infrastructure Model (WIM), the most comprehensive model of the Web infrastructure to date. Our analyses reveal severe vulnerabilities in SSO systems that lead to critical attacks against their security and privacy. We propose fixes and formally verify that our proposals are sufficient to establish security. Our analyses, however, also show that even Mozilla’s proposal for a privacy-preserving SSO system does not meet its unique privacy goal. To fill this gap, we use our novel approach to develop a new SSO system, SPRESSO, and formally prove that our system indeed enjoys strong security and privacy properties.
  • Textdokument
    Your website has been hijacked: Raising awareness for an invisible problem
    (GI SICHERHEIT 2022, 2022) Hennig, Anne
    Running a business without having a website is nearly impossible nowadays. Content management systems (CMS) provide features which make it easy for laypersons to create sophisticated websites. But those can pose security risks and provide vulnerabilities for manipulations. With vulnerability notifications, website owners are notified about security risks. The work of this doctoral thesis is divided into two main parts: At first it is necessary to identify common themes with respect to vulnerability notifications and provide more information on how to improve future vulnerability notifications. The second main part is to develop and evaluate suitable awareness materials.