Mobile values, new names, and secure communication
POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Secure Applications of Low-Entropy Keys
ISW '97 Proceedings of the First International Workshop on Information Security
Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Helios: web-based open-audit voting
SS'08 Proceedings of the 17th conference on Security symposium
Automatic verification of correspondences for security protocols
Journal of Computer Security
Alloy: a logical modelling language
ZB'03 Proceedings of the 3rd international conference on Formal specification and development in Z and B
Towards a Formal Foundation of Web Security
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
Rootkits for JavaScript environments
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
Featherweight Firefox: formalizing the core of a web browser
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
FC'10 Proceedings of the 14th international conference on Financial cryptograpy and data security
Browser model for security analysis of browser-based protocols
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Privacy supporting cloud computing: confichair, a case study
POST'12 Proceedings of the First international conference on Principles of Security and Trust
Discovering Concrete Attacks on Website Authorization by Formal Analysis
CSF '12 Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium
Web-based attacks on host-proof encrypted storage
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Language-based defenses against untrusted browser origins
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
To protect sensitive user data against server-side attacks, a number of security-conscious web applications have turned to client-side encryption, where only encrypted user data is ever stored in the cloud. We formally investigate the security of a number of such applications, including password managers, cloud storage providers, an e-voting website and a conference management system. We find that their security relies on both their use of cryptography and the way it combines with common web security mechanisms as implemented in the browser. We model these applications using the WebSpi web security library for ProVerif, we discuss novel attacks found by automated formal analysis, and we propose robust countermeasures.