Development of security extensions based on Chrome APIs

Client-side attacks against web sessions are a real concern for many applications. Realizing protection mechanisms on the client side, e.g. as browser extensions, has become a popular approach for securing the Web. In this paper we report on our experience in the implementation of SessInt, an extension for Google Chrome that protects users against a variety of client-side attacks, and we discuss some limitations of the browser APIs that negatively impacted on the design process

Policy-Based Sanitizable Signatures

Sanitizable signatures are a variant of signatures which allow a single, and signer-defined, sanitizer to modify signed messages in a controlled way without invalidating the respective signature. They turned out to be a versatile primitive, proven by different variants and extensions, e.g., allowing multiple sanitizers or adding new sanitizers one-by-one. However, existing constructions are very restricted regarding their flexibility in specifying potential sanitizers. We propose a different and more powerful approach: Instead of using sanitizers\u27 public keys directly, we assign attributes to them. Sanitizing is then based on policies, i.e., access structures defined over attributes. A sanitizer can sanitize, if, and only if, it holds a secret key to attributes satisfying the policy associated to a signature, while offering full-scale accountability