Authenticated-encryption with associated-data
Proceedings of the 9th ACM conference on Computer and communications security
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Secure Applications of Low-Entropy Keys
ISW '97 Proceedings of the First International Workshop on Information Security
Cryptree: A Folder Tree Structure for Cryptographic File Systems
SRDS '06 Proceedings of the 25th IEEE Symposium on Reliable Distributed Systems
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Towards a Formal Foundation of Web Security
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
Rootkits for JavaScript environments
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
FC'10 Proceedings of the 14th international conference on Financial cryptograpy and data security
Discovering Concrete Attacks on Website Authorization by Formal Analysis
CSF '12 Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium
Towards unified authorization for android
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Keys to the cloud: formal analysis and concrete attacks on encrypted web storage
POST'13 Proceedings of the Second international conference on Principles of Security and Trust
Language-based defenses against untrusted browser origins
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Cloud-based storage services, such as Wuala, and password managers, such as LastPass, are examples of so-called host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing. We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces.