摘要: Typical web sessions can be hijacked easily by a network eavesdropper in attacks that have come to designated "sidejacking." The rise of ubiquitous wireless networks, often unprotected at the transport layer, has significantly aggravated this problem. While SSL protect against eavesdropping, its usability disadvantages make it unsuitable when data is not considered highly confidential. Most web-based email services, for example, use only on their login page and are thus vulnerable sidejacking.We propose SessionLock, simple approach securing eavesdropping without extending SSL. SessionLock implemented developers using JavaScript server-side logic. Its performance impact negligible, all major browsers supported. Interestingly, particularly easy implement single-page AJAX applications, e.g. Gmail or Yahoo mail, with approximately 200 lines 60 verification code.
acm.org
wwwconference.org参考文章(9)
Jesse James Garrett, Ajax: A New Approach to Web Applications ,(2007)
R. Canetti, H. Krawczyk, M. Bellare, HMAC: Keyed-Hashing for Message Authentication RFC. ,vol. 2104, pp. 1- 11 ,(1997)
Xiaoyun Wang, Yiqun Lisa Yin, Hongbo Yu, Finding collisions in the full SHA-1 international cryptology conference. pp. 17- 36 ,(2005) , 10.1007/11535218_2
J. Mikkelsen, D. Hopwood, T. Wright, M. Nystrom, S. Blake-Wilson, Transport Layer Security (TLS) Extensions RFC 3546. ,vol. 3546, pp. 1- 29 ,(2003)
A. Juels, M. Jakobsson, T.N. Jagatic, Cache cookies for browser authentication ieee symposium on security and privacy. pp. 301- 305 ,(2006) , 10.1109/SP.2006.8
Collin Jackson, Helen J. Wang, Subspace: secure cross-domain communication for web mashups the web conference. pp. 611- 620 ,(2007) , 10.1145/1242572.1242655
J. Franks, P. Hallam-Baker, A. Luotonen, S. Lawrence, J. Hostetler, L. Stewart, P. Leach, HTTP Authentication: Basic and Digest Access Authentication RFC2617. ,vol. 2617, pp. 1- 34 ,(1999)
Ben Adida, Beamauth: two-factor web authentication with a bookmark computer and communications security. pp. 48- 57 ,(2007) , 10.1145/1315245.1315253
Whitfield Diffie, Martin E Hellman, None, New Directions in Cryptography IEEE Transactions on Information Theory. ,vol. 22, pp. 644- 654 ,(1976) , 10.1109/TIT.1976.1055638