Secure web 2.0 content sharing beyond walled gardens

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2009, Pages 409-418

  Sun, San Tsai ^a   Hawkey, Kirstie ^a   Beznosov, Konstantin ^a  

^a UNIVERSITY OF BRITISH COLUMBIA   (Canada)

Author keywords

Access control; Web 2.0 content sharing

Indexed keywords

ACCESS POLICIES; ACCESS-CONTROL MECHANISMS; CONTENT SHARING; POLICY STATEMENTS; SERVICE PROVIDER; WEB 2.0;

COMPUTER APPLICATIONS; SECURITY SYSTEMS; WORLD WIDE WEB;

ACCESS CONTROL;

EID: 77950836598     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2009.45     Document Type: Conference Paper

References (37)

1. T. Oreilly, "What is Web 2.0: Design patterns and business models for the next generation of software," Communications and Strategies, No.1, p. 17, 2007.
2. M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis, "The KeyNote trust-management system version 2," September 1999. [Online]. Available: http://www.ietf.org/rfc/rfc2704.txt
3. C. M. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen, "SPKI certificate theory," September 1999. [Online]. Available: http://www.ietf.org/rfc/rfc2693.txt
4. N. Li, J. C. Mitchell, and W. H. Winsborough, "Design of a role-based trust-management framework," in SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, 2002, p. 114.
5. S. Voida, W. K. Edwards, M. W. Newman, R. E. Grinter, and N. Ducheneaut, "Share and share alike: exploring the user interface affordances of file sharing," in Proceedings of the SIGCHI conference on Human Factors in computing systems CHI '06:. New York, NY, USA: ACM, 2006, pp. 221-230.
6. T. Whalen, "Supporting file sharing through improved awareness," Ph.D. Dissertation, Dalhousie University, Canada, 2008. [Online]. Available: http://www.proquest.com/
7. A. D. Miller and W. K. Edwards, "Give and take: A study of consumer photo-sharing culture and practice," in Proceedings of the CHI 2007, San Jose, California, USA, April 28 -May 3 2007, pp. 347-356.
8. D. Recordon and B. Fitzpatrick, "OpenID authentication 2.0 - final," http://openid.net/specs/openid-authentication-2-0.html, December 2007.
9. J. S. Olson, J. Grudin, and E. Horvitz, "A study of preferences for sharing and privacy," in CHI '05 extended abstracts on Human factors in computing systems (CHI '05). New York, NY, USA: ACM, 2005, pp. 1985-1988.
10. D. Florencio and C. Herley, "A large-scale study of web password habits," in WWW '07: Proceedings of the 16th international conference on World Wide Web. New York, NY, USA: ACM, 2007, pp. 657-666.
11. E. Cohen, R. K. Thomas, W. Winsborough, and D. Shands, "Models for coalition-based access control (cbac)," in Proceedings of the seventh ACM symposium on access control models and technologies, Monterey, California, USA, 2002, pp. 97-106.
12. Internet2, "Shibboleth System," http://shibboleth.internet2. edu/, 2008.
13. OASIS, "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)," http://www.oasisopen.org/committees/security/docs/ cs-sstc-core-00.pdf, April 2002.
14. B. Adida, "EmID: Web authentication by email address," in Proceedings of Web 2.0 Security and Privacy Workshop 2008, Oakland, California, USA, 2008.
15. M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized trust management," in the 1996 IEEE Symposium on Security and Privacy, Washington DC, USA, 1996, pp. 164-173.
16. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, "Role-based access control models," IEEE Computer, vol.29, no.2, pp. 38-47, 1996.
17. Microsoft Corporation, "Microsoft Live Mesh," https://www.mesh.com/, 2009.
18. Dropbox Corporation, "Sync your files online and across computers," http://www.getdropbox.com/, 2009.
19. R. J. Bayardo Jr., R. Agrawal, D. Gruhl, and A. Somani, "YouServ: a web-hosting and content sharing tool for the masses," in Proceedings of the 11th international conference on World Wide Web. New York, NY, USA: ACM, 2002, pp. 345-354.
20. A. H. Karp, M. Stiegler, and T. Close, "Not one click for security," http://www.hpl.hp.com/techreports/2009/HPL-2009-53.pdf, 2009.
21. T. Close, "Web-key: Mashing with permission," in Proceedings of the Web 2.0 Security and Privacy 2008, 2008.
22. B. Carminati, E. Ferrari, and A. Perego, "Rule-based access control for social networks," in On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. LNCS, Springer-Verlag, 2006.
23. A. Tootoonchian, K. K. Gollu, S. Saroiu, Y. Ganjali, and A. Wolman, "Lockr: social access control for web 2.0," in Proceedings of the first workshop on Online social networks, Seattle, WA, USA, 2008, pp. 43-48.
24. S.-T. Sun and K. Beznosov, "Open problems in Web 2.0 user content sharing," in Proceedings of the iNetSec Workshop, Zurich, Switzerland, April 23th 2009.
25. D. Fuelling and W. Norris, "Email Address to URL Transformation 1.0," http://eaut.org/specs/1.0/, June 2008.
26. E. Hammer-Lahav, "XRDS-Simple 1.0," http://xrds-simple.net/ core/1.0/, March 2008.
27. N. Li, W. H. Winsborough, , and J. C. Mitchell, "Distributed credential chain discovery in trust management," Journal of Computer Security, vol.11, no.1, pp. 35-86, 2003.
28. S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, "The emperor's new security indicators," in Proceedings of the 2007 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2007, pp. 51-65.
29. R. Dhamija, J. D. Tygar, and M. Hearst, "Why phishing works," in CHI '06: Proceedings of the SIGCHI conference on Human Factors in computing systems. New York, NY, USA: ACM, 2006, pp. 581-590.
30. A. Herzberg and A. Jbara, "Security and identification indicators for browsers against spoofing and phishing attacks," ACM Trans. Interet Technology., vol.8, no.4, pp. 1-36, 2008.
31. R. Dhamija and J. D. Tygar, "The battle against phishing: Dynamic security skins," in SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security. New York, NY, USA: ACM, 2005, pp. 77-88.
32. M. Wu, R. C. Miller, and G. Little, "Web wallet: preventing phishing attacks by revealing user intentions," in SOUPS '06: Proceedings of the second symposium on Usable privacy and security. New York, NY, USA: ACM, 2006, pp. 102-113.
33. Earthlink Inc., "Earthlink toolbar: scambloker for windows users," 2008.
34. Y. Zhang, S. Egelma, L. Cranor, and J. Hong, "Phinding phish: Evaluating anti-phishing tools," in Proceedings of the 14th Annual Network and Distibuted System Security Symposium (NDSS 2007), 2007.
35. M. Wu, R. C. Miller, and S. L. Garfinkel, "Do security toolbars actually prevent phishing attacks?" in Proceedings of the SIGCHI conference on Human Factors in computing systems(CHI '06). New York, NY, USA: ACM, 2006, pp. 601-610.
36. J. Bufu, "Openid4java," http://code.sxip.com/openid4java/, 2009.
37. Q. Wei, J. Crampton, K. Beznosov, and M. Ripeanu, "Authorization recycling in RBAC systems," in Proceedings of the thirteenth ACM Symposium on Access Control Models and Technologies (SACMAT). Estes Park, Colorado, USA: ACM, June 11-13 2008, pp. 63-72. [Online]. Available: http://doi.acm.org/10. 1145/1377836.1377848