EvoSec 2025W Lecture 12: Difference between revisions
Created page with "==Readings== * [https://homeostasis.scs.carleton.ca/~soma/pubs/oda-asia-08.pdf Oda, "Content Provider Conflict on the Modern Web." (ASIA 2008)] ==Discussion Questions== While these are questions to consider, please focus your discussion on what your group finds interesting related to the paper. * How do modern security technologies like [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS CORS], [https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP CSP], and [htt..." |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 5: | Line 5: | ||
==Discussion Questions== | ==Discussion Questions== | ||
While these are questions to consider, please focus your discussion on what your group finds interesting related to the paper. | While these are questions to consider, '''please focus your discussion on what your group finds interesting related to the paper'''. | ||
* How do modern security technologies like [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS CORS], [https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP CSP], and [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy CORP] impact the problems identified in this paper? | * How do modern security technologies like [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS CORS], [https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP CSP], and [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy CORP] impact the problems identified in this paper? | ||
| Line 12: | Line 12: | ||
==Class Notes== | ==Class Notes== | ||
<pre> | |||
Lecture 12 | |||
---------- | |||
Plan for the rest of the semester is to read (some) my old papers | |||
- lots to think about trust | |||
Remember that you can and should critique these papers! | |||
G1 | |||
- confining JS goes against economic model of the web, maybe? | |||
- discussed what happened with Honey | |||
- rethinking the web as a "wild west" | |||
G2 | |||
- new tech defends against injection | |||
- increasing demands for ads, so increasing need for security | |||
- large platforms must enforce this security | |||
- browser extensions, particularly ad block, why do we trust them more than the ad itself? | |||
G3 | |||
- new tech prevents injection but not content-provider conflict, issues is JS environment | |||
- large providers increase risks of conflict | |||
- increased awareness of security issues with ads | |||
G4 | |||
- what do we do when legit businesses go bad? | |||
- centralization out-competed regular malware, you're already being spied on! | |||
- can't stop people being taken advantage of through tech | |||
- risk/reward impacts willingness for bad actors to be bad | |||
Terri later did ViSP, SOMA, and SSS (security style sheets) | |||
The real security issue in content-provider conflict is the DOM, not JS per se. | |||
The security solutions that get implemented on the web are the ones that serve the major platforms | |||
- not regular users | |||
page-level isolation mechanisms inhibit ad monitoring and ad security | |||
- avoiding click fraud | |||
</pre> | |||
Latest revision as of 18:06, 25 February 2025
Readings
Discussion Questions
While these are questions to consider, please focus your discussion on what your group finds interesting related to the paper.
- How do modern security technologies like CORS, CSP, and CORP impact the problems identified in this paper?
- How does the rise of large platforms impact content-provider conflict?
- Did this paper change how you thought about the web?
Class Notes
Lecture 12 ---------- Plan for the rest of the semester is to read (some) my old papers - lots to think about trust Remember that you can and should critique these papers! G1 - confining JS goes against economic model of the web, maybe? - discussed what happened with Honey - rethinking the web as a "wild west" G2 - new tech defends against injection - increasing demands for ads, so increasing need for security - large platforms must enforce this security - browser extensions, particularly ad block, why do we trust them more than the ad itself? G3 - new tech prevents injection but not content-provider conflict, issues is JS environment - large providers increase risks of conflict - increased awareness of security issues with ads G4 - what do we do when legit businesses go bad? - centralization out-competed regular malware, you're already being spied on! - can't stop people being taken advantage of through tech - risk/reward impacts willingness for bad actors to be bad Terri later did ViSP, SOMA, and SSS (security style sheets) The real security issue in content-provider conflict is the DOM, not JS per se. The security solutions that get implemented on the web are the ones that serve the major platforms - not regular users page-level isolation mechanisms inhibit ad monitoring and ad security - avoiding click fraud