Experiments and proofs in web-service security

Many web services have a subsystem for allowing users to register, authenticate, reset their password, and change personal details. It is important that such subsystems cannot be abused by attackers to gain access to the accounts of other users. We study a system which was initially prone to such attacks. Specific attacks are demonstrated and the system is then modified to prevent such attacks in future. The design achieved in this way is then analysed to show that it can't be broken in future unless users allow their email to he intercepted. This is achieved by formulating the requirement as a statement of the user's expectations of the system and then analysing the source code of the system to prove that it meets these requirements. The process of attack, correction, and formulation of security rules, and proof that rules hold, is proposed as a methodical security design philosophy

A social contract for cyberspace

The current standards for the Internet and its services and devices are set and developed by multiple standards organisations, and national governments. In this paper, we argue that a social contract is needed between these organisations, and the entities (individual users, organisations, devices, and service providers) which use the Internet to communicate. Criteria which a social contract should meet are proposed; fourteen major current cybersecurity or ethical issues are then discussed; the necessity and feasibility of a social contract are considered. A draft social contract is then proposed and solutions or strategies to address the fourteen issues identified previously, on the basis of this draft social contract, are presented