|
| This Article | ||
| ||
| Share | ||
| Bibliographic References | ||
| Add to: | ||
 Digg  Furl  Spurl  Blink  Simpy  Google  Del.icio.us  Y!MyWeb | ||
| Search | ||
| ||
2010 IEEE Symposium on Security and Privacy
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
Berkeley, California, USA
May 16-May 19
ISBN: 978-0-7695-4035-1
| ASCII Text | x | ||
| Shuo Chen, Rui Wang, XiaoFeng Wang, Kehuan Zhang, "Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow," Security and Privacy, IEEE Symposium on, pp. 191-206, 2010 IEEE Symposium on Security and Privacy, 2010. | |||
| BibTex | x | ||
| @article{ 10.1109/SP.2010.20, author = {Shuo Chen and Rui Wang and XiaoFeng Wang and Kehuan Zhang}, title = {Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow}, journal ={Security and Privacy, IEEE Symposium on}, volume = {0}, year = {2010}, issn = {1081-6011}, pages = {191-206}, doi = {http://doi.ieeecomputersociety.org/10.1109/SP.2010.20}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, } | |||
| RefWorks Procite/RefMan/Endnote | x | ||
| TY - CONF JO - Security and Privacy, IEEE Symposium on TI - Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow SN - 1081-6011 SP191 EP206 A1 - Shuo Chen, A1 - Rui Wang, A1 - XiaoFeng Wang, A1 - Kehuan Zhang, PY - 2010 KW - side-channel-leak KW - Software-as-a-Service (SaaS) KW - web application KW - encrypted traffic KW - ambiguity set KW - padding VL - 0 JA - Security and Privacy, IEEE Symposium on ER - | |||
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SP.2010.20
With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application’s internal information flows are inevitably exposed on the network. We show that despite encryption, such a side-channel information leak is a realistic and serious threat to user privacy. Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. More importantly, the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. As a result, the scope of the problem seems industry-wide. We further present a concrete analysis to demonstrate the challenges of mitigating such a threat, which points to the necessity of a disciplined engineering practice for side-channel mitigations in future web application developments.
Index Terms:
side-channel-leak, Software-as-a-Service (SaaS), web application, encrypted traffic, ambiguity set, padding
Citation:
Shuo Chen, Rui Wang, XiaoFeng Wang, Kehuan Zhang, "Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow," sp, pp.191-206, 2010 IEEE Symposium on Security and Privacy, 2010
Usage of this product signifies your acceptance of the Terms of Use.