[IWAR] INTERNET Bell Labs works to secure browsers

From: 7Pillars Partners (partnersat_private)
Date: Thu Jan 29 1998 - 12:27:55 PST

  • Next message: 7Pillars Partners: "[IWAR] ISRAEL considers mass inoculations"

    Bell Labs to secure browsers
       By Jeff Pelline and Paul Festa
       January 28, 1998, 12:40 p.m. PT
       
       update Bell Labs said today that its scientists have developed a method
       of preventing security attacks perpetrated through Web browsers that use
       JavaScript and VBScript languages, such as Microsoft's Internet Explorer
       and Netscape Communications' Navigator.
       
       The findings by Bell Labs computer scientists Vinod Anupam and Alain
       Mayer will be presented tomorrow at a security symposium in San Antonio,
       Texas.
       
       "Through a JavaScript 'safe interpreter,' the security method can be
       easily implemented in Netscape Navigator and Internet Explorer,"
       according to a statement from Bell Labs. "The 'safe interpreter' assures
       that scripts have access only to the parts of the browser and
       window-related data that do not compromise a user's security."
       
       Anupam and Mayer already have studied flaws in scripting languages that
       are found in browsers such as IE and Navigator. Last summer, they
       discovered what became known as the "Bell Labs privacy bug," which let
       hackers monitor Netizens' activity on the Web. (see related story)
       
       Both Netscape and Microsoft have long since posted fixes to the privacy
       bug. But Anupam says that the specification that he and his colleague
       will propose provides greater security and flexibility than the current
       patched model.
       
       "To some extent, the problem has been fixed by Microsoft and Netscape.
       But we are going beyond what is possible today," Anupam said.
       
       Bell Labs' model for a safe interpreter for scripting languages protects
       against attacks based on three components: access control, which
       specifies to what kind of information a script is allowed access;
       independence of context, which prevents two scripts from accidentally
       interacting with one another; and trust management, which specifies
       which scripts are allowed to interact and how.
       
       The current model bases its trust management model on domain, according
       to Anupam, which means that all scripts from "cnet.com," for example,
       "trust" each other. But the Bell Labs model allows for the specification
       of different domains as well as subparts of the same domain.
       
       Anupam said the proposed model is more secure because currently, scripts
       do not clean out properties as surfers travel from one Web site to
       another. As a result, information can circulate inappropriately.
       "Independence of context" means that those script properties are cleaned
       out before the user moves to the next page.
       
       Bell Labs is the research and development arm of Lucent Technologies.
       Like other companies, it conducts research in search of ways to tighten
       Web security at the browser level so e-commerce and Net-related
       activities can continue to expand.
       
       As Anupam put it: "There are serious implications for Web users who are
       attacked through their browsers; every piece of information entered,
       such as a password or credit card number or Web site being visited, is
       exposed."
       
       A spokesman for Netscape was unable to comment on the specifics of Bell
       Labs' proposal, but he lauded the laboratory's efforts. "We support any
       enhancement in security to Internet technologies," he said.
       
       Microsoft was not immediately available for comment.
       
       In October, Bell Labs announced a utility to help users filter spam. It
       lets people using Lucent's proxy server give a site user an alias,
       password, and email address, a combination that can combat spam.
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:24 PDT