ACM Queue - Web Security

ACM Queue - Web Security http://queue.acm.org/listing.cfm?item_topic=Web Security&qc_type=topics_list&filter=Web Security&page_title=Web Security&order=desc Go Static or Go Home: In the end, dynamic systems are simply less secure. http://queue.acm.org/detail.cfm?id=2721993 Most current and historic problems in computer and network security boil down to a single observation: letting other people control our devices is bad for us. At another time, I'll explain what I mean by "other people" and "bad." For the purpose of this article, I'll focus entirely on what I mean by control. One way we lose control of our devices is to external distributed denial of service (DDoS) attacks, which fill a network with unwanted traffic, leaving no room for real ("wanted") traffic. Other forms of DDoS are similar: an attack by the Low Orbit Ion Cannon (LOIC), for example, might not totally fill up a network, but it can keep a web server so busy answering useless attack requests that the server can't answer any useful customer requests. Either way, DDoS means outsiders are controlling our devices, and that's bad for us. Web Security 2015年1月14日 12:19:30 GMT Paul Vixie 2721993 Security Collapse in the HTTPS Market: Assessing legal and technical solutions to secure HTTPS http://queue.acm.org/detail.cfm?id=2673311 HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. Web Security 2014年9月23日 16:12:01 GMT Axel Arnbak, Hadi Asghari, Michel Van Eeten, Nico Van Eijk 2673311 Why Is It Taking So Long to Secure Internet Routing?: Routing security incidents can still slip past deployed security defenses. http://queue.acm.org/detail.cfm?id=2668966 BGP (Border Gateway Protocol) is the glue that sticks the Internet together, enabling data communications between large networks operated by different organizations. BGP makes Internet communications global by setting up routes for traffic between organizations - for example, from Boston University's network, through larger ISPs (Internet service providers) such as Level3, Pakistan Telecom, and China Telecom, then on to residential networks such as Comcast or enterprise networks such as Bank of America. Web Security 2014年9月11日 11:37:18 GMT Sharon Goldberg 2668966 Certificate Transparency: Public, verifiable, append-only logs http://queue.acm.org/detail.cfm?id=2668154 On August 28, 2011, a mis-issued wildcard HTTPS certificate for google.com was used to conduct a man-in-the-middle attack against multiple users in Iran. The certificate had been issued by a Dutch CA (certificate authority) known as DigiNotar, a subsidiary of VASCO Data Security International. Later analysis showed that DigiNotar had been aware of the breach in its systems for more than a month - since at least July 19. It also showed that at least 531 fraudulent certificates had been issued. The final count may never be known, since DigiNotar did not have records of all the mis-issued certificates. On September 20, 2011, DigiNotar was declared bankrupt. Web Security 2014年9月08日 15:58:01 GMT Ben Laurie 2668154 Securing the Tangled Web: Preventing script injection vulnerabilities through software design http://queue.acm.org/detail.cfm?id=2663760 Script injection vulnerabilities are a bane of Web application development: deceptively simple in cause and remedy, they are nevertheless surprisingly difficult to prevent in large-scale Web development. Web Security 2014年8月25日 22:58:25 GMT Christoph Kern 2663760 Splinternet Behind the Great Firewall of China: Once China opened its door to the world, it could not close it again. http://queue.acm.org/detail.cfm?id=2405036 What if you could not access YouTube, Facebook, Twitter, and Wikipedia? How would you feel if Google informed you that your connection had been reset during a search? What if Gmail was only periodically available, and Google Docs, which was used to compose this article, was completely unreachable? What a mess! Web Security 2012年11月30日 03:27:14 GMT Daniel Anderson 2405036 Browser Security Case Study: Appearances Can Be Deceiving: A discussion with Jeremiah Grossman, Ben Livshits, Rebecca Bace, and George Neville-Neil http://queue.acm.org/detail.cfm?id=2399757 It seems every day we learn of some new security breach. It's all there for the taking on the Internet: more and more sensitive data every second. As for privacy, we Facebook, we Google, we bank online, we shop online, we invest online& we put it all out there. And just how well protected is all that personally identifiable information? Not very. Web Security 2012年11月20日 23:53:25 GMT Jeremiah Grossman, Ben Livshits, Rebecca Bace, George Neville-Neil 2399757 The Web Won’t Be Safe or Secure until We Break It: Unless you’ve taken very particular precautions, assume every Web site you visit knows exactly who you are. http://queue.acm.org/detail.cfm?id=2390758 The Internet was designed to deliver information, but few people envisioned the vast amounts of information that would be involved or the personal nature of that information. Similarly, few could have foreseen the potential flaws in the design of the Internet that would expose this personal information, compromising the data of individuals and companies. Web Security 2012年11月06日 15:45:17 GMT Jeremiah Grossman 2390758 CTO Roundtable: Malware Defense Overview: Key points from ACM’s CTO Roundtable on malware defense http://queue.acm.org/detail.cfm?id=1734092 The Internet has enabled malware to progress to a much broader distribution model and is experiencing a huge explosion of individual threats. There are automated tools that find vulnerable sites, attack them, and turn them into distribution sites. As commerce and the business of daily living migrate online, attacks to leverage information assets for ill-gotten benefit have increased dramatically. Security professionals are seeing more sophisticated and innovative profit models on par with business models seen in the legitimate world. Web Security 2010年2月25日 17:19:19 GMT Mache Creeger 1734092 CTO Roundtable: Malware Defense: The battle is bigger than most of us realize. http://queue.acm.org/detail.cfm?id=1731902 As all manner of information assets migrate online, malware has kept on track to become a huge source of individual threats. In a continuously evolving game of cat and mouse, as security professionals close off points of access, attackers develop more sophisticated attacks. Today profit models from malware are comparable to any seen in the legitimate world. Web Security 2010年2月24日 17:30:07 GMT Mache Creeger 1731902