Forum
Comments:
-
- on Fri 13 Nov 2009
- 07:52:35 AM UTC
Plain English?
For those that don't understand jargon . . . what are "opportunistic personas"?
And I must be missing something . . . but your paper refers to things like blog comments as being an example of a third party element. That part I understand sort of, but if a blog comment contains a link to malware, then the site hosting the comment (the blog) would be rated down as it should be since it contains (regardless of source) a link to malware (the exception of course being a search engine like Google). I say "should be" on the premise that blogs are responsible for their content (including comments).
(Before any bloggers post any objection to this, let me add that, yes, unscrupulous content can find it's way into a blog via a comment, but a blogger maintaining a board should nevertheless soon find the offending comment . . . if it's not already been reported . . . and remove it. For example, I would certainly expect Frank to remove a malware containing comment from techhjaws, or Colin or evilfantasy to do the same on their blogs).
Or are you saying that your design would afford a separate enumeration score of the comment containing the link to the malware?
Not sure I have my arms around this. Can you clarify?
-
- on Fri 13 Nov 2009
- 04:13:55 PM UTC
I agree
If you have a website with any user content (3rd party). It is your responability to monitor and if nessacary to delete inapporatie content. At least if you want to keep the average people coming back. Who is going to use a site that is covered with nothing more than ads, spam, and links to malware and other junk. It is after all your community.
-
- on Sun 15 Nov 2009
- 02:09:04 AM UTC
good as well as bad content
That could be difficult...
What happens when part of the page's content is changed, does this create a new key for that "part" of the page, or for the page itself?
You're paper mentions using the DIV tag - what if I decided to go back to the old way of using table-based markup?
The idea, how to make web pages made of several components (e.g. user-created content) secure using WOT is interesting and would definitely merit experimentation, but IMHO it would not be wise to include something that has not yet been proven to work flawlessly as a component in the next release of WOT.
-------
WOT Services Ltd. - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
- G7W
Securing composite web sites
Hi all,
We recently published a research paper on how to make web pages made of several components (e.g. user-created content) secure using WOT.
It would be nice to try to experiment with this system in practice or include it to next release of WOT (currently only site reputation is determined by WOT, but a single web page could include good as well as bad content which could be displayed differently).
http://www.cs.helsinki.fi/u/gurtov/papers/rearch04...
Abstract:
Security in the WWW architecture is based on authenticating
the source server and securing the data during transport
without considering the content itself. The traditional assumption
is that a page is as secure as the server hosting it.
However, modern web sites have often a composite structure
where components of the web page are authored by different
actors and one logical page contains components collected
from disparate servers. Applying a single security policy to
a whole page is inadequate. We introduce a new model to
protect users from web-based malware. We have developed
a new model that uses opportunistic personas to better secure
web content by adding integrity and accountability to
individual elements. In this paper we present the overall
design of the mechanism, as well as details derived from a
prototype of the system.