In-built security for a safer web experience

October is European Cyber Security Month and the awareness of online security in the EU has never been higher. Cyber crime is estimated to cost the European economy tens of billions of euros every year, much of it from the theft of credit card data later sold on the black market.

One of the projects the EU has funded in the battle against cyber crime is called WEBSAND (Server-driven Outbound Web-application Sandboxing), which has come up with new tools to make systems harder for hackers to crack.

WEBSAND’s computer scientists have built solutions based on ‘sandboxes’, restrictive mechanisms that separate server systems, and information flows (between servers and users’ browsers), from untrustworthy code.

LET’S FIX THE WEB

‘The main success of WEBSAND has been to show developers how to make security a default part of the system, rather than an afterthought,’ explained coordinator Dr Martin Johns .

The Web has changed considerably since 1990, when it was used as a static document-delivery tool. It has now become a real-time, multi-source environment, pushing developers to add security on to systems rather than making it an integral part of the client-server model. WEBSAND was formed to try to change that.

‘We set a deliberately ambitious goal at the start of the project. We thought: “Let’s try to fix the Web”. And we have succeeded to some degree. We have built a lot of solutions directly on the server side that enforce the security we want for certain areas.’

The aim was to put the developer in the driver’s seat, by taking a server-driven approach to security and building a modular, easy-to-use framework allowing developers even with limited security backgrounds to build applications that are secure by default.

The other thing WEBSAND did was to develop a set of browser extensions for end users. These include CSFIRE , which is ‘invisible’ to users in that it tries not interfere with the functionality of the applications they are using - be that an email program, Facebook, Google or a currency converter, say - while transparently guarding them from Web attacks.

WEBSAND’s scientists have also explored and come up with solutions to some of the Web’s fundamental ongoing problems.

They have designed a lightweight addition to the client side of browsers that prevents DNS Rebinding attacks, a common and reoccurring method of extracting information from a server without the host’s knowledge. A slight expansion of the server’s ‘same origin policy’ puts pay to this risk.

And they have also come up with a different way of authenticating passwords by implementing a new challenge-and-response system initiated by the server instead of the browser.

Now the core partners in the project – German companies SAP , Siemens , and the universities of Leuven in Belgium and Chalmers in Sweden – are working with the international Internet standards bodies, W3C and IETF, to persuade browser companies to adopt WEBSAND technology. They also belong to the non-profit organization OWASP (Open Web Application Security Project) and are promoting their findings through its user groups and meetings.

‘At SAP and Siemens, we use WEBSAND technology to make our own products more secure. But we would also directly benefit from a Web that is secure by default,’ said Dr Johns. ‘Security is very costly and a safer Web would also allow companies to devote more resources to functionality.’

WEBSAND, which ran from October 2010 to April 2014, received FP7 funding of 3.2 million euros and consisted of five partners in three countries.


Link to project's website