Abstract
Today the World Wide Web is considered to be a platform for building distributed applications. This evolution is made possible by browsers with processing capabilities and by programming languages that allow web designers to embed real programs into HTML documents. Downloading and executing code from anywhere on the Internet brings security problems along with it. A systematic and thorough analysis of security flaws in the browsers and related technology is necessary to reach a sufficient level of confidence. This paper presents some preliminary results of ongoing research that has the final goal of developing properties for secure browsers and procedures for secure browsing. The research started by investigating features provided by the standard environment. The paper describes some experimental attacks that have been carried out by exploiting features of Java and JavaScript executed by Netscape Navigator and Microsoft Explorer browsers.
This is a revised and extended version of [2].
This research was partially supported by PulsePoint Communications and the University of California through a Micro Grant.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Drew Dean, Edward W. Felten, and Dan S. Wallach, Java Security: From HotJava to Netscape and Beyond, Proc. of 1996 IEEE Symposium on Security and Privacy, (http://www.cs.princeton.edu/sip/pub/secure96.html).
Flavio De Paoli, Andre L. Dos Santos, and Richard A. Kemmerer, Vulnerability of “Secure” Web Browsers, Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD, USA, October 6–10, 1997.
Digicrime, Online Security Experiments, Digicrime, Inc., (http://www.digicrime.com).
Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach, Web Spoofing: An Internet Con Game, Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD, USA, October 6–10, 1997, (http://www.cs.princeton.edu/sip/pub/spoofing.html).
James Gosling, Bill Joy, and Guy Steele, The Java Language Specification, ISBN 0-201-63451-1, The Java Series, Addison Wesley, 1996, (http://www.nge.com/home/java/spec10/index.html).
Jason Levitt, Internetview: An Application Infrastructure, Information Week, June 1996, (http://www.techweb.cmp.com/iw/582/82iojl.html).
Tim Lindholm and Frank Yellin, The Java Virtual Machine Specification, ISBN 0-201-63452-X, The Java Series, Addison Wesley, 1996.
Netscape, “ldLiveConnect,” Netscape web site, 1997, http://www.home.netscape.com/comprod/products/navigator/version_3.0/building_blocks/liveconnect/index.html.
D. Martin, S. Rajagopalan and A. Rubin, “Blocking Java Applets at the Firewall,” in Proceedings of the InternetSociety Symposium on Network and Distributed System Security, February 10–11, 1997.
Jim Roskind, Navigator 2.02 Security-Related FAQ, May 1996, (http://www.home.netscape.com/newsref/std/java_security_faq.html).
Siemens, “Embedding Java into smart card ICs”, SPECTRUM, Siemens Components Magazine, April 1997, (http://www.w2.siemens.de/components/com9704/04spect.htm#VIER).
Lincoln D. Stein, WWW Security Faq, version 1.3.7, March 30, 1997, (http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
De Paoli, F., Dos Santos, A.L., Kemmerer, R.A. (1998). Web Browsers and Security. In: Vigna, G. (eds) Mobile Agents and Security. Lecture Notes in Computer Science, vol 1419. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-68671-1_13
Download citation
DOI: https://doi.org/10.1007/3-540-68671-1_13
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-64792-8
Online ISBN: 978-3-540-68671-2
eBook Packages: Springer Book Archive