Skip to main content
eScholarship
Open Access Publications from the University of California

UC San Diego

UC San Diego Electronic Theses and Dissertations bannerUC San Diego

Analyzing and addressing the security issues of non-browser web-connected applications

Abstract

Today, any non-trivial application requires the ability to communicate over the network. Providing a secure connection (i.e., a confidential and authenticated connection) for the application to achieve its goals is a difficult task as it involves correctly implementing complex protocols. Further, even if you could provide integrity and confidentiality of data received over the network, it is sometimes difficult to verify the benign nature of such data. Having stood the test of time as being the most popular application for network communication, browsers have been able to achieve network security with greater success. However, almost all other non-browser applications have lagged behind. Despite this, these applications are widely used by developers. In this thesis, we look at two such applications.

First we look at tools that fetch webpages over https (such as wget) and analyze their connection security. We then argue that these tools should delegate network security to browsers and implement a prototype version of wget to demonstrate the feasibility of building applications that provides security guarantees (confidentiality, integrity, authenticity) without requiring a deep understanding of the underlying security protocols.

We then analyze package managers which developers often use to download and execute code from untrusted entities. Network security alone is not sufficient in this case. We argue for a more secure package manager, one that can cope with nation state adversaries (who have a history of infiltrating codebases). We describe the design of one such secure system---SPAM---that uses the new Stellar federated Byzantine fault tolerant system.

Main Content
For improved accessibility of PDF content, download the file to your device.
Current View