Security

Here are my papers and ideas on web security, with a particular emphasis on web browsers. However, most of them are now rather old. I work on CA stuff for Mozilla, and most of the thinking and writing I do in this area is now in that context.

Certificates

• Firefox and Self-Signed Certs - a defence of the Firefox certificate UI.

Phishing

• A Plan For Scams - a summary of the work that needs doing to protect Internet users from phishing.
• Improving Authentication On The Internet - another paper analysing the phishing threat, and looking at current technologies in terms of privacy, validation and authentication.
• Staying Safe From Phishing With Firefox - my "spec" for Firefox's anti-phishing efforts.
• Phishing - Browser-based Defences - a survey of possible changes to browsers to better protect against phishing. It contains two key ideas:
  • New Site - show users if they've visited a particular SSL site before.
  • Phish Finder - discussion of the mechanisms and heuristics for an in-browser phishing site detector.

Cross-Site Scripting

• Content Restrictions - mitigate XSS attacks by allowing sites to specify the capabilities script on their pages should have. Many of the ideas from this have found their way into CSP.
• Script Keys - mitigate XSS attacks by allowing sites to specify which scripts on their pages should run. This idea also eventually made its way into CSP.

Other

• Link Fingerprints - ensure a downloaded file is the exact required version by embedding a checksum in the link to it.