A Supervised Learning Approach to Protect Client Authentication on the Web

Calzavara, Stefano; Tolomei, Gabriele; Casini, Andrea; Bugliesi, Michele; Orlando, Salvatore

doi:10.1145/2754933

Cited by 22 publications

(25 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, being more comprehensive would require a significant engineering effort and the creation of personal accounts at the crawled websites, a process which is notoriously hard to automate [6].…”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Semantics-Based Analysis of Content Security Policy Deployment

2018

Self Cite

View full text Add to dashboard Cite

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this paper we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of few notable issues, but unfortunately there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

show abstract

Section: Methodsmentioning

confidence: 99%

“…Just to mention a few relevant works, previous evaluations focused on other aspects of web security, like remote JavaScript inclusion [19], DOM-based XSS [15], mixed content websites [7], authentication cookies [6] and HSTS [14].…”

Section: Large-scale Analysis Of the Webmentioning

confidence: 99%

Semantics-Based Analysis of Content Security Policy Deployment

2018

Self Cite

View full text Add to dashboard Cite

show abstract

“…As for credentials, their disclosure would allow attackers to fully impersonate the user on the Web, exploiting the victim's privileges in the authenticated sessions. In [7], authors built a dataset gathering 2,464 authentication cookies from a sample of 215 most popular Web-sites of Alexa's ranking. As a result, they proposed the development of a set of binary classifiers, aimed at identifying these authentication cookies exploiting (supervised) machine learning techniques.…”

Section: Related Workmentioning

confidence: 99%

A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies

Raponi¹,

Pietro²

2020

IEEE Access

View full text Add to dashboard Cite

Single-factor password-based authentication is generally the norm to access online Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption by a Web-site of a poor password management system makes useless even the most robust password chosen by the registered users. In this paper, building on the results of our previous work, we study the possible attacks to on-line password recovery systems analyzing the mechanisms implemented by some of the most popular Web-sites. In detail, we provide several contributions: (i) we revise and detail the attacker model; (ii) we provide an updated analysis with respect to a preliminary study we carried out in December 2017; (iii) we perform a brand new analysis of the current top 200 Alexa's Web-sites of five major EU countries; and, (iv) we propose Maildust, a working open-source module that could be adopted by any Web-site to provide registered users with a password recovery mechanism to prevent mail service provider-level attacks. Overall, it is striking to notice how the analyzed Web-sites have made little (if any) effort to become compliant with the GDPR regulation, showing that the objective to have basic user protection mechanisms in place-despite the fines threatened by GDPR-is still far, mainly because of sub-standard security management prac-

show abstract

“…These days, there are several authentication technology studies [15,16], such as the two major ones being certificate and SMS authentication. But to provide new services, it is essential to improve alternate authentication technologies.…”

Section: Security Authentications For Fintechmentioning

confidence: 99%

The Data Processing Approach for Preserving Personal Data in FinTech-Driven Paradigm

Kim¹,

Hong²

2016

IJSIA

View full text Add to dashboard Cite

FinTech-driven paradigm shift in financial service poses challenges for financial sector in balancing the potential benefits of development with the potential risks. It is difficult to detect as advanced threats, so the extent of the damage cannot be foreseen in the financial sector. In this paper, we suggest the approach based on trust about processing data including personally identifiable information for preserving and protecting in the environment using FinTech.

show abstract

A Supervised Learning Approach to Protect Client Authentication on the Web

Cited by 22 publications

References 27 publications

Semantics-Based Analysis of Content Security Policy Deployment

Semantics-Based Analysis of Content Security Policy Deployment

A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies

The Data Processing Approach for Preserving Personal Data in FinTech-Driven Paradigm

Contact Info

Product

Resources

About