°ÂÁ´

Here are my papers and ideas on web °ÂÁ´, with a particular ¶¯Ä´ on web browsers. However, most of them are now rather old. I work on CA stuff for Mozilla, and most of the thinking and Îá¾õing I do in this area is now in that ¾õ¶·.

¾ÚÌÀ½ñs

• Firefox and Self-Ä´°õ¤¹¤ëd Certs - a defence of the Firefox ¾ÚÌÀ½ñ UI.

Phishing

• A ·×²è¡Ê¤¹¤ë¡Ë For Scams - a Í×Ìó of the work that needs doing to Êݸ¤ë Internet »ÈÍѼÔs from phishing.
• ²þÁ±¤¹¤ëing Authentication On The Internet - another paper analysing the phishing ¶¼¤·, and looking at ¸½ºß¤Î ²Ê³Ø¡Ê¹©³Ø¡Ëµ»½Ñs ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of privacy, validation and authentication.
• Staying °ÂÁ´¤Ê From Phishing With Firefox - my "spec" for Firefox's anti-phishing À®²Ì¡¿ÅØÎÏs.
• Phishing - Browser-based Defences - a Ä´ºº¤¹¤ë of possible changes to browsers to better Êݸ¤ë against phishing. It ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës two ½ÅÍ×¤Ê ideas:
  • New ¾ì½ê¡¿°ÌÃÖ - show »ÈÍѼÔs if they've visited a particular SSL ¾ì½ê¡¿°ÌÃÖ before.
  • Phish Finder - discussion of the µ¡³£ÁõÃÖs and heuristics for an in-browser phishing ¾ì½ê¡¿°ÌÃÖ detector.

Cross-¾ì½ê¡¿°ÌÃÖ Scripting

• Content À©¸Âs - mitigate XSS attacks by µö¤¹ing ¾ì½ê¡¿°ÌÃÖs to ÌÀ¼¨¤¹¤ë the ǽÎÏs script on their pages should have. Many of the ideas from this have ÀßΩ¤¹¤ë their way into CSP.
• Script ½ÅÍפÊs - mitigate XSS attacks by µö¤¹ing ¾ì½ê¡¿°ÌÃÖs to ÌÀ¼¨¤¹¤ë which scripts on their pages should run. This idea also ·ë¶É made its way into CSP.

Other

• Link »ØÌæs - ³Î¼Â¤Ë¤¹¤ë a downloaded ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë is the exact Í׵᤹¤ëd ¸«²ò¡¿ËÝÌõ¡¿ÈÇ by embedding a checksum in the link to it.