Securing user inputs for the web

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Securing user inputs for the web

Full text

Pdf (655 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the second ACM workshop on Digital identity management table of contents

Alexandria, Virginia, USA

SESSION: Applications and system issues table of contents

Pages: 33 - 44

Year of Publication: 2006

ISBN:1-59593-547-9

Authors

Jan Camenisch	IBM Research, Zurich Laboratory, Rüschlikon, Switzerland
abhi shelat	IBM Research, Zurich Laboratory, Rüschlikon, Switzerland
Dieter Sommer	IBM Research, Zurich Laboratory, Rüschlikon, Switzerland
Roger Zimmermann	IBM Research, Zurich Laboratory, Rüschlikon, Switzerland

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 22, Downloads (12 Months): 196, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1179529.1179536 What is a DOI?

ABSTRACT

The goal of this paper is to study secure and usable methods for providing user input to a website. Three principles define security for us: certification, awareness, and privacy. Four principles define usability: contextual awareness, semantic awareness, prodigious use of screen space, and the availability of recommended choices.We first describe how current approaches to the solicitation of user input on the web fail on both fronts: they either can not handle certified data, do not respect user privacy, or have various usability problems which frustrate and perhaps even mislead the user.To address security, we suggest the use of more sophisticated private certificate systems. To address usability, we propose a new contextual, browser-integrated interface for using private certificate systems. Our system incorporates many recent design principles discussed in the security and usability space. It works in the main content area of a webpage; it focuses on making the user aware of the who, what, where, when and why of a data request, and it does not use valuable screen space when it is not relevant.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Apache project. http://www.securiteam.com/securityreviews/5OP0B2KGAC.html.
	2	S. Brands. Rethinking Public Key Infrastructure and Digital Certificates--- Building in Privacy. PhD thesis, Eindhoven Institute of Technology, 1999.
	3	Ernie Brickell , Jan Camenisch , Liqun Chen, Direct anonymous attestation, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA [doi>10.1145/1030083.1030103]
	4	Jan Camenisch , Anna Lysyanskaya, An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.93-118, May 06-10, 2001
	5	J. Camenisch, D. Sommer, and R. Zimmermann. A general certification framework with applications to privacy-enhancing certificate infrastructures. In IFIP SEC 2006, to appear, 2006.
	6	David Chaum, Security without identification: transaction systems to make big brother obsolete, Communications of the ACM, v.28 n.10, p.1030-1044, Oct. 1985 [doi>10.1145/4372.4373]
	7	L. Cranor, M. Langheinrich, M. Marchiori, M. Presler-Marshall, and J. Reagle. The Platform for Privacy Preferences 1.0 (P3P1.0) specification. Recommendation, World Wide Web Consortium, April 2002. http://www.w3.org/TR/2002/REC-P3P-20020416.
	8	L. F. Cranor. Privacy policies and privacy preferences. In S. Garfinkel and L. Cranor, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 14. O'Reilly, 2005.
	9	Lorrie Cranor , Simson Garfinkel, Security and Usability, O'Reilly Media, Inc., 2005
	10	Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania [doi>10.1145/1073001.1073009]
	11	Direct Anonymous Attestation - Project website of IBM Research. http://www.zurich.ibm.com/security/daa/.
	12	Directive 2002/58/EC of the European Parliament and of the council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, Official Journal of the European Communities, L 201, Juli 31rd, 2002.
	13	Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities, L 281, November 23rd, 1995.
	14	S. Farrell , R. Housley, An Internet Attribute Certificate Profile for Authorization, RFC Editor, 2002
	15	Federal Trade Commission. The integrity and accuracy of the "whois" database. Statement Before the Subcommittee on Courts, the Internet, and Intellectual Property of the Committee on the Judiciary United States House of Representatives, May 22 2002. http://www.ftc.gov/os/2002/05/whois.htm.
	16	Greg Goth, Identity Theft Solutions Disagree on Problem, IEEE Distributed Systems Online, v.6 n.8, p.2, August 2005 [doi>10.1109/MDSO.2005.41]
	17	G. Greenleaf and R. Clarke. Privacy implications of digital signatures. In IBC Conference on Digital Signatures, March 1997.
	18	Higgins Trust Framework. www.eclipse.org/higgins.
	19	A Technical Reference for InfoCard v1.0 in Windows, Microsoft, 2005.
	20	Internic website. Who is data problem report system. http://wdprs.internic.net/, March 2006.
	21	S. Lederer, J. I. Hong, A. K. Dey, and J. A. Landay. Personal privacy through understanding and action: Five pitfalls for designers. In S. Garfinkel and L. Cranor, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 21. O'Reilly, 2005.
	22	Stephen E. Levy , Carl Gutwin, Improving understanding of website privacy policies with fine-grained policy anchors, Proceedings of the 14th international conference on World Wide Web, May 10-14, 2005, Chiba, Japan [doi>10.1145/1060745.1060816]
	23	Liberty alliance project. www.projectliberty.org.
	24	R. C. Miller and M. Wu. Fighting phishing at the user interface. In S. Garfinkel and L. Cranor, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 14. O'Reilly, 2005.
	25	T. Moses, ed. eXtensible access control markup language (XACML). OASIS Standard.
	26	John Sören Pettersson , Simone Fischer-Hübner , Ninni Danielsson , Jenny Nilsson , Mike Bergmann , Sebastian Clauss , Thomas Kriegelstein , Henry Krasemann, Making PRIME usable, Proceedings of the 2005 symposium on Usable privacy and security, p.53-64, July 06-08, 2005, Pittsburgh, Pennsylvania [doi>10.1145/1073001.1073007]
	27	PRIME project. www.prime-project.eu.org.
	28	Roboform. http://www.roboform.com.
	29	Security Assertion Markup Language v2.0. www.oasis-open.org/specs.
	30	S. Steinbrecher and S. Köpsell. Modelling unlinkability. In R. Dingledine, editor, Proceedings of Privacy Enhancing Technologies workshop (PET 2003). LNCS 2760, March 2003.
	31	Trusted Computing Group, Trusted Platform Module (TPM) specification v1.2. https://www.trustedcomputinggroup.org/specs/TPM/.
	32	BEA, IBM, Microsoft, RSA Security, VeriSign: Web services federation language note=www-128.ibm.com/developerworks/library/specification/ws-fed.
	33	K.-P. Yee. Guidelines and strategies for secure interaction design. In S. Garfinkel and L. Cranor, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 13. O'Reilly, 2005.