Open Problems in Web 2.0 User Content Sharing

  • San-Tsai Sun
  • Konstantin Beznosov
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 309)


Users need useful mechanisms for sharing their Web 2.0 content with each other in a controlled manner across boundaries of content-hosting and service providers (CSPs). In this paper, we discuss open problems and research opportunities in the domain of Web 2.0 content sharing among users. We explore issues in the categories of user needs, current sharing solutions provided by CSPs, and distributed access-control related technologies. For each open problem, we discuss existing and potential solutions, and point out areas for future work.


Access Control Access Policy Content Owner Content Sharing User Content 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [ABLP93]
    Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems 15(4), 706–734 (1993)CrossRefGoogle Scholar
  2. [AF99]
    Appel, A.W., Felten, E.W.: Proof-carrying authentication. In: Proceedings of the 6th ACM conference on Computer and communications security, New York, USA, pp. 52–62 (1999)Google Scholar
  3. [AOL08]
    AOL LLC. AOL Open Authentication API (OpenAuth) (January 2008),
  4. [BD99]
    Beznosov, K., Deng, Y.: A framework for implementing role-based access control using CORBA security service. In: Fourth ACM Workshop on Role-Based Access Control, Fairfax, Virginia, USA, pp. 19–30 (1999)Google Scholar
  5. [BFIK99]
    Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNotetrust-management system version 2 (September 1999)Google Scholar
  6. [BFL96]
    Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: The 1996 IEEE Symposium on Security and Privacy, Washington DC, USA, pp. 164–173 (1996)Google Scholar
  7. [BH98]
    Beyer, H., Holtzblatt, K.: Contextual Design, Defining Customer-Centered Systems. Morgan Kaufmann Publishers, San Francisco (1998)Google Scholar
  8. [Bis05]
    Bishop, M.: Psychological acceptability revisited. In: Cranor, L.F., Garfinkel, S. (eds.) Security and Usability: Designing Secure Systems that People Can Use, ch. 1, pp. 1–11. O’Reilly Media, Inc., Sebastopol (2005)Google Scholar
  9. [BKK06]
    Brodie, C.A., Karat, C.-M., Karat, J.: An empirical study of natural language parsing of privacy policy rules using the sparcle policy workbench. In: SOUPS 2006: Proceedings of the second symposium on Usable privacy and security, pp. 8–19. ACM, New York (2006)CrossRefGoogle Scholar
  10. [BL73]
    Bell, D.E., LaPadula, L.: Secure computer systems: Mathematical foundations. Technical Report MTR-2547, Volume I, Mitre Corporation, Bedford, Massachusetts (1973)Google Scholar
  11. [BSF02]
    Bauer, L., Schneider, M.A., Felten, E.W.: A general and flexible access-control system for the web. In: Proceedings of the 11th USENIX Security Symposium, pp. 93–108. USENIX Association, Berkeley (2002)Google Scholar
  12. [CFP06]
    Carminati, B., Ferrari, E., Perego, A.: Rule-based access control for social networks. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4278, pp. 1734–1744. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. [Cor05]
    CoreStreet Ltd. Spoofstick (2005)Google Scholar
  14. [CTWS02]
    Cohen, E., Thomas, R.K., Winsborough, W., Shands, D.: Models for coalition-based access control (cbac). In: Proceedings of the seventh ACM symposium on access control models and technologies, Monterey, California, USA, pp. 97–106 (2002)Google Scholar
  15. [DT05]
    Dhamija, R., Tygar, J.D.: The battle against phishing: Dynamic security skins. In: SOUPS 2005: Proceedings of the 2005 symposium on Usable privacy and security, pp. 77–88. ACM, New York (2005)CrossRefGoogle Scholar
  16. [DTH06]
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: CHI 2006: Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 581–590. ACM, New York (2006)Google Scholar
  17. [Ear08]
    Earthlink Inc. Earthlink toolbar: scambloker for windows users (2008)Google Scholar
  18. [EFL+99]
    Ellison, C.M., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory (September 1999)Google Scholar
  19. [Fet98]
    Fetterman, D.M.: Ethnography: Step by Step. Sage Publications Inc., Thousand Oaks (1998)Google Scholar
  20. [FH07]
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th international conference on World Wide Web, pp. 657–666. ACM, New York (2007)Google Scholar
  21. [Fra05]
    Franco, R.: Better website identification and extended validation certificates in ie7 and other browsers (2005)Google Scholar
  22. [Goo08]
    Google Inc. Authsub authentication for web applications (December 2008),
  23. [HJ08]
    Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Interet Technology 8(4), 1–36 (2008)CrossRefGoogle Scholar
  24. [Int08]
    Internet2. Shibboleth System (2008),
  25. [Ion0p]
    Ionescu, D.: Facebook Embraces OpenID, 200 p.,
  26. [Kva96]
    Kvale, S.: InterViews: An Introduction to Qualitative Research Interviewing. Sage Publications, Thousand Oaks (1996)Google Scholar
  27. [LABW91]
    Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practics. In: ACM Symposium on Operating Systems Principles, Asilomar Conference Center, Pacific Grove, pp. 165–182 (1991)Google Scholar
  28. [Lib02]
    Liberty Alliance. Liberty Alliance Project (2002),
  29. [LMW02]
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: SP 2002: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 114 (2002)Google Scholar
  30. [ME07]
    Miller, A.D., Keith Edwards, W.: Give and take: A study of consumer photo-sharing culture and practice. In: Proceedings of the CHI 2007, San Jose, California, USA, April 28 –May 3, pp. 347–356 (2007)Google Scholar
  31. [MR05]
    Maxion, R.A., Reeder, R.W.: Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies 63, 25–50 (2005)CrossRefGoogle Scholar
  32. [Net08]
    Netcraft Ltd. Netcraft toolbar (2008)Google Scholar
  33. [OAS02]
    OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) (April 2002),
  34. [OGH05]
    Olson, J.S., Grudin, J., Horvitz, E.: A study of preferences for sharing and privacy. In: CHI 2005 extended abstracts on Human factors in computing systems (CHI 2005), pp. 1985–1988. ACM, New York (2005)Google Scholar
  35. [Ore07]
    Oreilly, T.: What is Web 2.0: Design patterns and business models for the next generation of software. Communications and Strategies (1), 17 (2007)Google Scholar
  36. [PKP06]
    Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  37. [RBC+08]
    Reeder, R.W., Bauer, L., Cranor, L.F., Reiter, M.K., Bacon, K., How, K., Strong, H.: Expandable grids for visualizing and authoring computer security policies. In: CHI 2008: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pp. 1473–1482. ACM, New York (2008)CrossRefGoogle Scholar
  38. [RF07]
    Recordon, D., Fitzpatrick, B.: OpenID authentication 2.0 - final (December 2007),
  39. [RHB09]
    Raja, F., Hawkey, K., Beznosov, K.: Towards improving mental models of personal firewall users. In: CHI 2009 extended abstracts on Human factors in computing systems, April 2009, p. 6. ACM, Boston (2009)Google Scholar
  40. [SCFY96]
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  41. [SDOF07]
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 51–65. IEEE Computer Society, Washington (2007)CrossRefGoogle Scholar
  42. [TGS+08]
    Tootoonchian, A., Gollu, K.K., Saroiu, S., Ganjali, Y., Wolman, A.: Lockr: social access control for web 2.0. In: Proceedings of the first workshop on Online social networks, Seattle, WA, USA, pp. 43–48 (2008)Google Scholar
  43. [TJM+99]
    Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A.: Certificate-based access control for widely distributed resources. In: Proceedings of the 8th USENIX Security Symposium, Washington, D.C., USA, August 23–26, pp. 215–228 (1999)Google Scholar
  44. [VEN+06]
    Voida, S., Keith Edwards, W., Newman, M.W., Grinter, R.E., Ducheneaut, N.: Share and share alike: exploring the user interface affordances of file sharing. In: Proceedings of the SIGCHI conference on Human Factors in computing systems CHI 2006, pp. 221–230. ACM, New York (2006)Google Scholar
  45. [Wha08]
    Whalen, T.: Supporting file sharing through improved awareness. Ph.D. dissertation, Dalhousie University, Canada (2008)Google Scholar
  46. [WMG06]
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI conference on Human Factors in computing systems (CHI 2006), pp. 601–610. ACM, New York (2006)CrossRefGoogle Scholar
  47. [WML06]
    Wu, M., Miller, R.C., Little, G.: Web wallet: preventing phishing attacks by revealing user intentions. In: SOUPS 2006: Proceedings of the second symposium on Usable privacy and security, pp. 102–113. ACM, New York (2006)CrossRefGoogle Scholar
  48. [XT05]
    XACML-TC. OASIS eXtensible Access Control Markup Language (XACML) version 2.0. OASIS Standard (February 1, 2005)Google Scholar
  49. [Yah08]
    Yahoo Inc. Browser-Based Authentication (BBAuth) (December 2008),
  50. [YD96]
    Yang, Z., Duddy, K.: CORBA: a platform for distributed object computing. SIGOPS Oper. Syst. Rev. 30(2), 4–31 (1996)CrossRefGoogle Scholar
  51. [YS06]
    Yee, K.-P., Sitaker, K.: Passpet: convenient password management and phishing protection. In: SOUPS 2006: Proceedings of the second symposium on Usable privacy and security, pp. 32–43. ACM, New York (2006)CrossRefGoogle Scholar
  52. [ZECH07]
    Zhang, Y., Egelma, S., Cranor, L., Hong, J.: Phinding phish: Evaluating anti-phishing tools. In: Proceedings of the 14th Annual Network and Distibuted System Security Symposium, NDSS 2007 (2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • San-Tsai Sun
    • 1
  • Konstantin Beznosov
    • 1
  1. 1.University of British ColumbiaVancouverCanada

Personalised recommendations