Get the lowest-cost and the best server colocation service in the business. Learn more.
Information Technology News.


Researchers develop new web privacy system for Google Chrome and Firefox

Share on Twitter.

Get the most reliable SMTP service for your business. You wished you got it sooner!

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

October 7, 2014

In order to block some nasty JavaScript code from funneling sensitive information to cyber criminals, researchers have developed what they say is a new web privacy system for the Google Chrome browser and Mozilla Firefox.

The new Confinement with Origin Web Labels (COWL) system tries to protect websites that rely on JavaScript libraries written by third parties-– libraries that could be secretly copying passwords and other sensitive information from webpages to hackers and potential criminals.

Those libraries could have been badly designed, poorly implemented, deliberately written to be malicious, or simply compromised by hackers tampering with the source code.

In a brief published this week in Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, the COWL team notes that about 59.4 percent of the top one million web sites, and 77 percent of the top 10,000 web sites incorporate jQuery-– the official site for which was infiltrated by miscreants, although the library code was not altered.

Perhaps developers simply shouldn't use unaudited or sketchy-sourced code in production systems, but the team's point is that the utilization of third-party libraries is prevalent – and this is a security risk.

COWL, which will be available as a free download beginning Wednesday next week, adds a DOM- level API to Firefox and Chrome. This software interface is then used by web developers to ensure that data is only shared with servers behind named domains, and thus not with any other machines.

Third-party JavaScript code is loaded into contexts which exchange specific blocks of data via messages. If a context tries to access the contents of a block that are not approved by the author, then that messaging is blocked.

The research team says that its API is easy to use, and claims it doesn't reduce the browser's processing speed in a significant manner.

To test that assessment, the group built 4 web apps using the COWL API-- an encrypted document editor, a third-party mashup application, a password manager and a website that includes jQuery code in it.

Using COWL didn't slow the browser down beyond 16 milliseconds, we're told. "We don’t change the JIT compiler or the JavaScript runtime at all," said Brad Karp, a professor of computer systems and networks at University College in London (UCL).

"Our system does check while the system is executing, but more at the boundaries between browsing contexts. COWL's checks only happen when there is communication between these contexts," he added.

COWL was developed by Karp and a PhD student at UCL who is now working at Google, along with Professor David Mazieres from Stanford University's computer science department and two of his PhD students working in collaboration with Mozilla Research.

Karp said that Mozilla and Chromium were targeted by COWL because they are both open source. Safari, which uses Webkit in the same manner as Chrome, should also be usable with COWL, but couldn't speculate on Internet Explorer's internals for COWL.

"What we've achieved in COWL is a simple system that lets web developers build feature-rich applications that combine data from different web sites without requiring that users share their login details directly with third-party web apps, all while ensuring that the user's sensitive data seen by such an application doesn't leave the browser," said Deian Stefan, lead PhD student on the project at Stanford University.

"Both web developers and users win," he added. Only once the code is released, scrutinized, and others cannot find ways of leaking data from COWL's contexts, can we be certain that all is well.

Source: University College in London (UCL).

Get the most dependable SMTP server for your company. You will congratulate yourself!

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.