Biblio
Web browsers are among the most important but also complex software solutions to access the web. It is therefore not surprising that web browsers are an attractive target for attackers. Especially in the last decade, security researchers and browser vendors have developed sandboxing mechanisms like security-relevant HTTP headers to tackle the problem of getting a more secure browser. Although the security community is aware of the importance of security-relevant HTTP headers, legacy applications and individual requests from different parties have led to possible insecure configurations of these headers. Even if specific security headers are configured correctly, conflicts in their functionalities may lead to unforeseen browser behaviors and vulnerabilities. Recently, the first work which analyzed duplicated headers and conflicts in headers was published by Calzavara et al. at USENIX Security [1]. The authors focused on inconsistent protections by using both, the HTTP header X-Frame-Options and the framing protection of the Content-Security-Policy.We extend their work by analyzing browser behaviors when parsing duplicated headers, conflicting directives, and values that do not conform to the defined ABNF metalanguage specification. We created an open-source testbed running over 19,800 test cases, at which nearly 300 test cases are executed in the set of 66 different browsers. Our work shows that browsers conform to the specification and behave securely. However, all tested browsers behave differently when it comes, for example, to parsing the Strict-Transport-Security header. Moreover, Chrome, Safari, and Firefox behave differently if the header contains a character, which is not allowed by the defined ABNF. This results in the protection mechanism being fully enforced, partially enforced, or not enforced and thus completely bypassable.
ISSN: 2770-8411
Information visualization applications have become ubiquitous, in no small part thanks to the ease of wide distribution and deployment to users enabled by the web browser. Scientific visualization applications, relying on native code libraries and parallel processing, have been less suited to such widespread distribution, as browsers do not provide the required libraries or compute capabilities. In this paper, we revisit this gap in visualization technologies and explore how new web technologies, WebAssembly and WebGPU, can be used to deploy powerful visualization solutions for large-scale scientific data in the browser. In particular, we evaluate the programming effort required to bring scientific visualization applications to the browser through these technologies and assess their competitiveness against classic native solutions. As a main example, we present a new GPU-driven isosurface extraction method for block-compressed data sets, that is suitable for interactive isosurface computation on large volumes in resource-constrained environments, such as the browser. We conclude that web browsers are on the verge of becoming a competitive platform for even the most demanding scientific visualization tasks, such as interactive visualization of isosurfaces from a 1TB DNS simulation. We call on researchers and developers to consider investing in a community software stack to ease use of these upcoming browser features to bring accessible scientific visualization to the browser.
Browsers collects information for better user experience by allowing JavaScript's and other extensions. Advertiser and other trackers take advantage on this useful information to tracked users across the web from remote devices on the purpose of individual unique identifications the so-called browser fingerprinting. Our work explores the diversity and stability of browser fingerprint by modifying the rule-based algorithm. Browser fingerprint rely only from the gathered data through browser, it is hard to tell that this piece of information still the same when upgrades and or downgrades are happening to any browsers and software's without user consent, which is stability and diversity are the most important usage of generating browser fingerprint. We implemented device fingerprint to identify consenting visitors in our website and evaluate individual devices attributes by calculating entropy of each selected attributes. In this research, it is noted that we emphasize only on data collected through a web browser by employing twenty (20) attributes to identify promising high value information to track how device information evolve and consistent in a period of time, likewise, we manually selected device information for evaluation where we apply the modified rules. Finally, this research is conducted and focused on the devices having the closest configuration and device information to test how devices differ from each other after several days of using on the basis of individual user configurations, this will prove in our study that every device is unique.
Nowadays the use of the Internet is growing; E-voting system has been used by different countries because it reduces the cost and the time which used to consumed by using traditional voting. When the voter wants to access the E-voting system through the web application, there are requirements such as a web browser and a server. The voter uses the web browser to reach to a centralized database. The use of a centralized database for the voting system has some security issues such as Data modification through the third party in the network due to the use of the central database system as well as the result of the voting is not shown in real-time. However, this paper aims to provide an E-voting system with high security by using blockchain. Blockchain provides a decentralized model that makes the network Reliable, safe, flexible, and able to support real-time services.
Transactive Energy (TE) is an emerging discipline that utilizes economic and control techniques for operating and managing the power grid effectively. Distributed Energy Resources (DERs) represent a fundamental shift away from traditionally centrally managed energy generation and storage to one that is rather distributed. However, integrating and managing DERs into the power grid is highly challenging owing to the TE implementation issues such as privacy, equity, efficiency, reliability, and security. The TE market structures allow utilities to transact (i.e., buy and sell) power services (production, distribution, and storage) from/to DER providers integrated as part of the grid. Flexible power pricing in TE enables power services transactions to dynamically adjust power generation and storage in a way that continuously balances power supply and demand as well as minimize cost of grid operations. Therefore, it has become important to analyze various market models utilized in different TE applications for their impact on above implementation issues.In this demo, we show-case the Transactive Energy Simulation and Analysis Toolsuite (TE-SAT) with its three publicly available design studios for experimenting with TE markets. All three design studios are built using metamodeling tool called the Web-based Graphical Modeling Environment (WebGME). Using a Git-like storage and tracking backend server, WebGME enables multi-user editing on models and experiments using simply a web-browser. This directly facilitates collaboration among different TE stakeholders for developing and analyzing grid operations and market models. Additionally, these design studios provide an integrated and scalable cloud backend for running corresponding simulation experiments.
Phishing sends malicious links or attachments through emails that can perform various functions, including capturing the victim's login credentials or account information. These emails harm the victims, cause money loss, and identity theft. In this paper, we contribute to solving the phishing problem by developing an extension for the Google Chrome web browser. In the development of this feature, we used JavaScript PL. To be able to identify and prevent the fishing attack, a combination of Blacklisting and semantic analysis methods was used. Furthermore, a database for phishing sites is generated, and the text, links, images, and other data on-site are analyzed for pattern recognition. Finally, our proposed solution was tested and compared to existing approaches. The results validate that our proposed method is capable of handling the phishing issue substantially.
As modern web browsers gain new and increasingly powerful features the importance of impact assessments of the new functionality becomes crucial. A web privacy impact assessment of a planned web browser feature, the Ambient Light Sensor API, indicated risks arising from the exposure of overly precise information about the lighting conditions in the user environment. The analysis led to the demonstration of direct risks of leaks of user data, such as the list of visited websites or exfiltration of sensitive content across distinct browser contexts. Our work contributed to the creation of web standards leading to decisions by browser vendors (i.e. obsolescence, non-implementation or modification to the operation of browser features). We highlight the need to consider broad risks when making reviews of new features. We offer practically-driven high-level observations lying on the intersection of web security and privacy risk engineering and modeling, and standardization. We structure our work as a case study from activities spanning over three years.