SessionLock: Securing Web Sessions against Eavesdropping
Typical web sessions can be hijacked easily by a network eavesdropper in attacks that have come to be designated sidejacking.The rise of ubiquitous wireless networks, often unprotected at the transport layer, has signi.cantly aggravated this problem. While SSL can protect against eavesdropping, its usability disadvantages often make it unsuitable when the data is not considered highly con.dential. Most web-based email services, for example, use SSL only on their login page and are thus vulnerable to sidejacking. We propose SessionLock, a simple approach to securing web sessions against eavesdropping without extending the use of SSL. SessionLock is easily implemented by web developers using only JavaScript and simple server-side logic. Its performance impact is negligible, and all major web browsers are supported. Interestingly, it is particularly easy to implement on single-page AJAX web applications, e.g. Gmail or Yahoo mail, with approximately 200 lines of JavaScript and 60 lines of server-side veri.cation code.
Ben Adida
Center for Research on Computation and Society (CRCS), Harvard University Children’s Hospital Informatics Program (CHIP), Harvard Medical School Cambridge, MA, USA
国际会议
第十七届国际万维网大会(the 17th International World Wide Web Conference)(WWW08)
北京
英文
2008-04-21(万方平台首次上网日期,不代表论文的发表时间)