45 research outputs found

    Analysis of RTCWeb Data Channel Transport Options

    Get PDF
    The Web has introduced a new technology in a more distributed and collaborative form of communication, where the browser and the user replace the web server as the nexus of communications in a way that after the call establishment through web servers, the communication is performed directly between browsers as peer to peer fashion without intervention of the web servers. The goal of Real Time Collaboration on the World Wide Web (RTCWeb) project is to allow browsers to natively support voice, video, and gaming in interactive peer to peer communications and real time data collaboration. Several transport protocols such as TCP, UDP, RTP, SRTP, SCTP, DCCP presently exist for communication of media and non-media data. However, a single protocol alone can not meet all the requirements of RTCWeb. Moreover, the deployment of a new transport protocol experiences problems traversing middle boxes such as Network Address Translation (NAT) box, firewall. Nevertheless, the current implementation for transportation of non-media in the very first versions of RTCWeb data does not include any congestion control on the end-points. With media (i.e., audio, video) the amount of traffic can be determined and limited by the codec and profile used during communication, whereas RTCWeb user could generate as much as non-media data to create congestion on the networks. Therefore, a suitable transport protocol stack is required that will provide congestion control, NAT traversal solution, and authentication, integrity, and privacy of user data. This master's thesis will give emphasis on the analysis of transport protocol stack for data channel in RTCWeb and selects Stream Control Transmission Protocol (SCTP), which is a reliable, message oriented general-purpose transport layer protocol, operating on top of both IPv4 and IPv6, providing congestion control similar to TCP and additionally, some new functionalities regarding security, multihoming, multistreaming, mobility, and partial reliability. However, due to the lack of universal availability of SCTP within the OS(s), it has been decided to use the SCTP userland implementation. WebKit is an open source web browser engine for rendering web pages used by Safari, Dashboard, Mail, and many other OS X applications. In WebKit RTCWeb implementation using GStreamer multimedia framework, RTP/UDP is utilized for the communication of media data and UDP tunnelling for non-media data. Therefore, in order to allow a smooth integration of the implementation within WebKit, we have decided to implement GStreamer plugins using SCTP userland stack. This thesis work also investigates the way Mozilla has integrated those protocols in the browser's network stack and how the Data Channel has been designed and implemented using SCTP userland stack

    Web-based Secure Application Control

    Get PDF
    The world wide web today serves as a distributed application platform. Its origins, however, go back to a simple delivery network for static hypertexts. The legacy from these days can still be observed in the communication protocol used by increasingly sophisticated clients and applications. This thesis identifies the actual security requirements of modern web applications and shows that HTTP does not fit them: user and application authentication, message integrity and confidentiality, control-flow integrity, and application-to-application authorization. We explore the other protocols in the web stack and work out why they can not fill the gap. Our analysis shows that the underlying problem is the connectionless property of HTTP. However, history shows that a fresh start with web communication is far from realistic. As a consequence, we come up with approaches that contribute to meet the identified requirements. We first present impersonation attack vectors that begin before the actual user authentication, i.e. when secure web interaction and authentication seem to be unnecessary. Session fixation attacks exploit a responsibility mismatch between the web developer and the used web application framework. We describe and compare three countermeasures on different implementation levels: on the source code level, on the framework level, and on the network level as a reverse proxy. Then, we explain how the authentication credentials that are transmitted for the user login, i.e. the password, and for session tracking, i.e. the session cookie, can be complemented by browser-stored and user-based secrets respectively. This way, an attacker can not hijack user accounts only by phishing the user's password because an additional browser-based secret is required for login. Also, the class of well-known session hijacking attacks is mitigated because a secret only known by the user must be provided in order to perform critical actions. In the next step, we explore alternative approaches to static authentication credentials. Our approach implements a trusted UI and a mutually authenticated session using signatures as a means to authenticate requests. This way, it establishes a trusted path between the user and the web application without exchanging reusable authentication credentials. As a downside, this approach requires support on the client side and on the server side in order to provide maximum protection. Another approach avoids client-side support but can not implement a trusted UI and is thus susceptible to phishing and clickjacking attacks. Our approaches described so far increase the security level of all web communication at all time. This is why we investigate adaptive security policies that fit the actual risk instead of permanently restricting all kinds of communication including non-critical requests. We develop a smart browser extension that detects when the user is authenticated on a website meaning that she can be impersonated because all requests carry her identity proof. Uncritical communication, however, is released from restrictions to enable all intended web features. Finally, we focus on attacks targeting a web application's control-flow integrity. We explain them thoroughly, check whether current web application frameworks provide means for protection, and implement two approaches to protect web applications: The first approach is an extension for a web application framework and provides protection based on its configuration by checking all requests for policy conformity. The second approach generates its own policies ad hoc based on the observed web traffic and assuming that regular users only click on links and buttons and fill forms but do not craft requests to protected resources.Das heutige World Wide Web ist eine verteilte Plattform für Anwendungen aller Art: von einfachen Webseiten über Online Banking, E-Mail, multimediale Unterhaltung bis hin zu intelligenten vernetzten Häusern und Städten. Seine Ursprünge liegen allerdings in einem einfachen Netzwerk zur Übermittlung statischer Inhalte auf der Basis von Hypertexten. Diese Ursprünge lassen sich noch immer im verwendeten Kommunikationsprotokoll HTTP identifizieren. In dieser Arbeit untersuchen wir die Sicherheitsanforderungen moderner Web-Anwendungen und zeigen, dass HTTP diese Anforderungen nicht erfüllen kann. Zu diesen Anforderungen gehören die Authentifikation von Benutzern und Anwendungen, die Integrität und Vertraulichkeit von Nachrichten, Kontrollflussintegrität und die gegenseitige Autorisierung von Anwendungen. Wir untersuchen die Web-Protokolle auf den unteren Netzwerk-Schichten und zeigen, dass auch sie nicht die Sicherheitsanforderungen erfüllen können. Unsere Analyse zeigt, dass das grundlegende Problem in der Verbindungslosigkeit von HTTP zu finden ist. Allerdings hat die Geschichte gezeigt, dass ein Neustart mit einem verbesserten Protokoll keine Option für ein gewachsenes System wie das World Wide Web ist. Aus diesem Grund beschäftigt sich diese Arbeit mit unseren Beiträgen zu sicherer Web-Kommunikation auf der Basis des existierenden verbindungslosen HTTP. Wir beginnen mit der Beschreibung von Session Fixation-Angriffen, die bereits vor der eigentlichen Anmeldung des Benutzers an der Web-Anwendung beginnen und im Erfolgsfall die temporäre Übernahme des Benutzerkontos erlauben. Wir präsentieren drei Gegenmaßnahmen, die je nach Eingriffsmöglichkeiten in die Web-Anwendung umgesetzt werden können. Als nächstes gehen wir auf das Problem ein, dass Zugangsdaten im WWW sowohl zwischen den Teilnehmern zu Authentifikationszwecken kommuniziert werden als auch für jeden, der Kenntnis dieser Daten erlangt, wiederverwendbar sind. Unsere Ansätze binden das Benutzerpasswort an ein im Browser gespeichertes Authentifikationsmerkmal und das sog. Session-Cookie an ein Geheimnis, das nur dem Benutzer und der Web-Anwendung bekannt ist. Auf diese Weise kann ein Angreifer weder ein gestohlenes Passwort noch ein Session-Cookie allein zum Zugriff auf das Benutzerkonto verwenden. Darauffolgend beschreiben wir ein Authentifikationsprotokoll, das vollständig auf die Übermittlung geheimer Zugangsdaten verzichtet. Unser Ansatz implementiert eine vertrauenswürdige Benutzeroberfläche und wirkt so gegen die Manipulation derselben in herkömmlichen Browsern. Während die bisherigen Ansätze die Sicherheit jeglicher Web-Kommunikation erhöhen, widmen wir uns der Frage, inwiefern ein intelligenter Browser den Benutzer - wenn nötig - vor Angriffen bewahren kann und - wenn möglich - eine ungehinderte Kommunikation ermöglichen kann. Damit trägt unser Ansatz zur Akzeptanz von Sicherheitslösungen bei, die ansonsten regelmäßig als lästige Einschränkungen empfunden werden. Schließlich legen wir den Fokus auf die Kontrollflussintegrität von Web-Anwendungen. Bösartige Benutzer können den Zustand von Anwendungen durch speziell präparierte Folgen von Anfragen in ihrem Sinne manipulieren. Unsere Ansätze filtern Benutzeranfragen, die von der Anwendung nicht erwartet wurden, und lassen nur solche Anfragen passieren, die von der Anwendung ordnungsgemäß verarbeitet werden können

    Security and Privacy in Unified Communication

    Get PDF
    The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.The use of unified communication; video conferencing, audio conferencing, and instant messaging has skyrocketed during the COVID-19 pandemic. However, security and privacy considerations have often been neglected. This paper provides a comprehensive survey of security and privacy in Unified Communication (UC). We systematically analyze security and privacy threats and mitigations in a generic UC scenario. Based on this, we analyze security and privacy features of the major UC market leaders and we draw conclusions on the overall UC landscape. While confidentiality in communication channels is generally well protected through encryption, other privacy properties are mostly lacking on UC platforms

    Älykäs tunnistauminen ja käyttöoikeuksien hallinta monimuotoisessa verkotetussa maailmassa

    Get PDF
    Our living environments are full of various connected computing devices. These environments in homes, offices, public spaces, transportation etc. are gaining abilities to acquire and apply knowledge about the environment and its users in order to improve users' experience in that environment. However, before smart adaptive solutions can be deployed in critical applications, authentication and authorization mechanisms are needed to provide protection against various security threats. These mechanisms must be able to interoperate and share information with different devices. The thesis focuses to questions on how to facilitate the interoperability of authentication and authorization solutions and how to enable adaptability and smartness of these solutions. To address questions, this thesis explores existing authentication and authorizations solutions. Then the thesis builds new reusable, interoperable, and adaptive security solutions. The smart space concept, based on semantic web technologies and publish-and-subscribe architecture, is recognized as a prominent approach for interoperability. We contribute by proposing solutions, which facilitate implementation of smart access control applications. An essential enabler for smart spaces is a secure platform for information sharing. This platform can be based on various security protocols and frameworks, providing diverse security levels. We survey security-levels and feasibility of some key establishment protocols and solutions for authentication and authorization. We also study ecosystem and adaptation issues as well as design and implement a fine-grained and context-based reusable security model, which enables development of self-configuring and adaptive authorization solutions.Ympäristöt, joissa elämme, ovat täynnä erilaisia verkkolaitteita. Nämä koteihin, toimistoihin, julkisiin tiloihin ja ajoneuvoihin muodostuvat ympäristöt ovat oppimassa hyödyntämään ympäriltä saatavilla olevaa tietoa ja sopeuttamaan toimintaansa parantaakseen käyttäjän kokemusta näistä ympäristössä. Älykkäiden ja sopeutuvien tilojen käyttöönotto kriittisissä sovelluksissa vaatii kuitenkin tunnistautumis- ja käyttöoikeuksien hallintamenetelmiä tietoturvauhkien torjumiseksi. Näiden menetelmien pitää pystyä yhteistoimintaan ja mahdollistaa tiedonvaihto erilaisten laitteiden kanssa. Tämä lisensiaatin tutkimus keskittyy kysymyksiin, kuinka helpottaa tunnistautumis- ja käyttöoikeusratkaisujen yhteensopivuutta ja kuinka mahdollistaa näiden ratkaisujen sopeutumiskyky ja älykäs toiminta. Tutkimuksessa tarkastellaan olemassa olevia menetelmiä. Tämän jälkeen kuvataan toteutuksia uusista tietoturvaratkaisuista, jotka ovat uudelleenkäytettäviä, eri laitteiden kanssa yhteensopivia ja eri vaatimuksiin mukautuvia. Älytilat, jotka perustuvat semanttisten web teknologioiden ja julkaise-ja-tilaa arkkitehtuurin hyödyntämiseen, tunnistetaan työssä lupaavaksi yhteensopivuuden tuovaksi ratkaisuksi. Tutkimus esittää ratkaisuja, jotka helpottavat älykkäiden tunnistautumis- ja käyttöoikeuksien hallintaratkaisujen kehitystä. Oleellinen yhteensopivuuden mahdollistaja on tietoturvallinen yhteensopivuusalusta. Tämä alusta voi perustua erilaisiin avaintenhallinta ja tunnistautumisprotokolliin sekä käyttöoikeuksien hallintakehyksiin. Tutkimuksessa arvioidaan joidenkin olemassa olevien ratkaisujen käytettävyyttä ja tietoturvatasoa. Tutkimuksessa myös tutkitaan ekosysteemi- ja sopeutumiskysymyksiä sekä toteutetaan hienojakoinen ja kontekstiin perustuva uudelleen käytettävä tietoturvamalli, joka mahdollistaa itsesääntyvien ja mukautuvien käyttöoikeuksien hallinta sovellusten toteuttamisen

    A Secure Peer-to-Peer Application Framework

    Get PDF
    The nature of the Internet has changed dramatically. From a modest research network, it has evolved into one of the most important fabrics of our modern society, affecting the lives of billions each day. We rely on it for everything from performing our daily chores to accessing rich media and keeping in touch with our friends. Despite this change, service provisioning has largely remained intact. Services are provided in a centralized manner, resulting in bottlenecks and vulnerable collections of, often unwittingly, submitted sensitive information. Peer-to-peer (P2P) technologies have the potential to provide a better alternative for future networking. P2P services distribute the load from a single node to a network of peers, relying on the resources of the end-users themselves. Not only does it remove the bottlenecks, it has the potential to provide a more personal and safe networking environment. In this dissertation, we inspect the feasibility and implications of a generic, cross-application, P2P framework. We present the design and implementation of a framework that uses existing infrastructure and advanced networking protocols to create a secure environment. Using this framework, applications are able to benefit from P2P networking without having to deploy new infrastructure or implement complex connection- and identity management. Users benefit from using a single, strong, cross-application identity management and having better control over their data. This improves the trust within the system and enables new ways of dealing with security threats. We demonstrate the feasibility of the framework by evaluating the performance and usability of the prototype implementation. This provides a model for future networking applications and insight into the security and usability issues these will face

    How to accelerate your internet : a practical guide to bandwidth management and optimisation using open source software

    Get PDF
    xiii, 298 p. : ill. ; 24 cm.Libro ElectrónicoAccess to sufficient Internet bandwidth enables worldwide electronic collaboration, access to informational resources, rapid and effective communication, and grants membership to a global community. Therefore, bandwidth is probably the single most critical resource at the disposal of a modern organisation. The goal of this book is to provide practical information on how to gain the largest possible benefit from your connection to the Internet. By applying the monitoring and optimisation techniques discussed here, the effectiveness of your network can be significantly improved

    Mashup Ecosystems: Integrating Web Resources on Desktop and Mobile Devices

    Get PDF
    The Web is increasingly used as an application platform, and recent development of it has introduced software ecosystems where different actors collaborate. This collaboration is international from day one, and it evolves and grows rapidly. In web ecosystems applications are provided as services, and interdependencies between ecosystem parts can vary from very strong and obvious to loose and recondite. Mashups -- web application hybrids that combine resources from different services into an integrated system that has increased value from user perspective -- are exploiting services of the Web and creating ecosystems where end-users, mashup authors, and service providers collaborate. The term "resources" is used here in a broad sense, and it can refer to user's local data, infinite content of the Web, and even executable code. This dissertation presents mashups as a new breed of web applications that are intended for parsing the web content into an easily accessed form on both regular desktop computers as well as on mobile devices. Constantly evolving web technologies and new web services open up unforeseen possibilities for mashup development. However, developing mashups with current methods and tools for existing deployment environments is challenging. First, the Web as an application platform faces numerous shortcomings, second, web application development practices in general are still immature, and third, development of mashups has additional requirements that need to be addressed. In addition, mobility sets even more challenges for mashup authoring. This dissertation describes and addresses numerous issues regarding mashup ecosystems and client-side mashup development. To achieve this, we have implemented technical research artifacts including mashup ecosystems and different kinds of mashup compositions. The artifacts are developed with numerous runtime environments and tools and targeted at different end-user platforms. This has allowed us to evaluate methods, tools, and practises used during the implementation. As result, this dissertation identifies the fundamental challenges of mashup ecosystems and describes how service providers and mashup ecosystem authors can address these challenges in practice. In addition, example implementation of a specialized multimedia mashup ecosystem for mobile devices is described. To address mashup development issues, this dissertation introduces practical guidelines and a reference architecture that can be applied when mashups are created with traditional web development tools. Moreover, environments that can be used on mobile devices to create mashups that have access to both web and local resources are introduced. Finally, a novel approach to web software development -- creating software as a mashup -- is introduced, and a realization of such concept is described

    Conceptual metaphor in English popular technology and Greek translation

    Get PDF
    This research project studies the metaphorical conceptualisation of technology in English popular technology magazines and in translation in the respective Greek editions. The focus is on the cognitive linguistic view of metaphor initially presented by Lakoff and Johnson (1980), on the metaphor identification procedure (Pragglejaz Group 2007), and critical metaphor analysis (Charteris-Black 2004). The analysis of the English data identifies 14 main metaphors and 29 submetaphors which contribute to the structure of the target domain of technology. It distinguishes between conventional and novel metaphors, and common and original metaphorical expressions, motivated by correlations in experience between diverse source domains and by the widespread diffusion and impact of technology. The English data also provide insight into the functions of these metaphors in popular technology discourse and reveal evidence to thinking, values and attitudes about technology in the English language. The analysis of the Greek data examines similarities and differences in the conceptualisations between the English and Greek languages and cultures, and finds similarities in the categories of metaphors, frequency of and preference for metaphor use in the source and target languages, and in the majority of metaphorical expressions. Similarities are based on common experiences stemming from experiential co-occurrence or experiential similarity, and on translated experience. Differences are restricted to specific-level metaphors and expressions, motivated by alternative conceptualisations of terminology, cultural specificity and preferential conceptualisations. A set of translation strategies and a number of possible translation effects are also identified. These strategies and effects add to the possibilities of translation variations and the range of translation options, and are used to draw conclusions regarding the similarities and differences between the English and Greek languages and cultures. Consequently, through the identification and description of metaphors in technology magazines and in translation, the study attempts to highlight aspects of the culture of technology, which views technology as a cultural artefact and a producer of its own culture.EThOS - Electronic Theses Online ServiceGreek State Scholarship Foundation (IKY)GBUnited Kingdo

    DSpace Manual: Software version 1.5

    Full text link
    DSpace is an open source software platform that enables organizations to: - Capture and describe digital material using a submission workflow module, or a variety of programmatic ingest options - Distribute an organization's digital assets over the web through a search and retrieval system - Preserve digital assets over the long term This system documentation includes a functional overview of the system, which is a good introduction to the capabilities of the system, and should be readable by nontechnical personnel. Everyone should read this section first because it introduces some terminology used throughout the rest of the documentation. For people actually running a DSpace service, there is an installation guide, and sections on configuration and the directory structure. Note that as of DSpace 1.2, the administration user interface guide is now on-line help available from within the DSpace system. Finally, for those interested in the details of how DSpace works, and those potentially interested in modifying the code for their own purposes, there is a detailed architecture and design section
    corecore