http://queue.acm.org/listing.cfm?item_topic=Web Security&qc_type=topics_list&filter=Web Security&page_title=Web Security&order=desc http://queue.acm.org/detail.cfm?id=2721993 Most current and historic problems in computer and network security boil down to a single observation: letting other people control our devices is bad for us. At another time, I'll explain what I mean by "other people" and "bad." For the purpose of this article, I'll focus entirely on what I mean by control. One way we lose control of our devices is to external distributed denial of service (DDoS) attacks, which fill a network with unwanted traffic, leaving no room for real ("wanted") traffic. Other forms of DDoS are similar: an attack by the Low Orbit Ion Cannon (LOIC), for example, might not totally fill up a network, but it can keep a web server so busy answering useless attack requests that the server can't answer any useful customer requests. Either way, DDoS means outsiders are controlling our devices, and that's bad for us. Web Security Wed, 14 Jan 2015 12:19:30 GMT Paul Vixie 2721993 http://queue.acm.org/detail.cfm?id=2673311 HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. Web Security Tue, 23 Sep 2014 16:12:01 GMT Axel Arnbak, Hadi Asghari, Michel Van Eeten, Nico Van Eijk 2673311 http://queue.acm.org/detail.cfm?id=2668966 BGP (Border Gateway Protocol) is the glue that sticks the Internet together, enabling data communications between large networks operated by different organizations. BGP makes Internet communications global by setting up routes for traffic between organizations - for example, from Boston University's network, through larger ISPs (Internet service providers) such as Level3, Pakistan Telecom, and China Telecom, then on to residential networks such as Comcast or enterprise networks such as Bank of America. Web Security Thu, 11 Sep 2014 11:37:18 GMT Sharon Goldberg 2668966 http://queue.acm.org/detail.cfm?id=2668154 On August 28, 2011, a mis-issued wildcard HTTPS certificate for google.com was used to conduct a man-in-the-middle attack against multiple users in Iran. The certificate had been issued by a Dutch CA (certificate authority) known as DigiNotar, a subsidiary of VASCO Data Security International. Later analysis showed that DigiNotar had been aware of the breach in its systems for more than a month - since at least July 19. It also showed that at least 531 fraudulent certificates had been issued. The final count may never be known, since DigiNotar did not have records of all the mis-issued certificates. On September 20, 2011, DigiNotar was declared bankrupt. Web Security Mon, 08 Sep 2014 15:58:01 GMT Ben Laurie 2668154 http://queue.acm.org/detail.cfm?id=2663760 Script injection vulnerabilities are a bane of Web application development: deceptively simple in cause and remedy, they are nevertheless surprisingly difficult to prevent in large-scale Web development. Web Security Mon, 25 Aug 2014 22:58:25 GMT Christoph Kern 2663760 http://queue.acm.org/detail.cfm?id=2405036 What if you could not access YouTube, Facebook, Twitter, and Wikipedia? How would you feel if Google informed you that your connection had been reset during a search? What if Gmail was only periodically available, and Google Docs, which was used to compose this article, was completely unreachable? What a mess! Web Security Fri, 30 Nov 2012 03:27:14 GMT Daniel Anderson 2405036 http://queue.acm.org/detail.cfm?id=2399757 It seems every day we learn of some new security breach. It's all there for the taking on the Internet: more and more sensitive data every second. As for privacy, we Facebook, we Google, we bank online, we shop online, we invest online& we put it all out there. And just how well protected is all that personally identifiable information? Not very. Web Security Tue, 20 Nov 2012 23:53:25 GMT Jeremiah Grossman, Ben Livshits, Rebecca Bace, George Neville-Neil 2399757 http://queue.acm.org/detail.cfm?id=2390758 The Internet was designed to deliver information, but few people envisioned the vast amounts of information that would be involved or the personal nature of that information. Similarly, few could have foreseen the potential flaws in the design of the Internet that would expose this personal information, compromising the data of individuals and companies. Web Security Tue, 06 Nov 2012 15:45:17 GMT Jeremiah Grossman 2390758 http://queue.acm.org/detail.cfm?id=1734092 The Internet has enabled malware to progress to a much broader distribution model and is experiencing a huge explosion of individual threats. There are automated tools that find vulnerable sites, attack them, and turn them into distribution sites. As commerce and the business of daily living migrate online, attacks to leverage information assets for ill-gotten benefit have increased dramatically. Security professionals are seeing more sophisticated and innovative profit models on par with business models seen in the legitimate world. Web Security Thu, 25 Feb 2010 17:19:19 GMT Mache Creeger 1734092 http://queue.acm.org/detail.cfm?id=1731902 As all manner of information assets migrate online, malware has kept on track to become a huge source of individual threats. In a continuously evolving game of cat and mouse, as security professionals close off points of access, attackers develop more sophisticated attacks. Today profit models from malware are comparable to any seen in the legitimate world. Web Security Wed, 24 Feb 2010 17:30:07 GMT Mache Creeger 1731902