HTTPA (Accountable Hyper Text Transfer Protocol) PhD Proposal Talk Oshani Seneviratne DIG, MIT CSAIL May 31, 2011.

Slides:



Advertisements
Similar presentations
Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security.
Advertisements

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
1 Open Pluggable Edge Services OPES Abbie Barbir, Ph.D.
1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.
Privacy, P3P and Internet Explorer 6 P3P Briefing – 11/16/01.
Session ID: Session Classification: Dr. Michael Willett OASIS and WillettWorks DSP-R35A General Interest OASIS Privacy Management Reference Model (PMRM)
Web Application Security Presented by Ben Lake. How the Web Works Hypertext Transfer Protocol (HTTP)  Application-level  Stateless Example  Web Browser.
Protecting Students on the School Computer Network Enfield High School.
A bad case of content reuse Validator Website to Validate License Violations Validator – Only requires the URI of the site to check This work by Oshani.
A bad case of content reuse Validator Website to Validate License Violations Validator – Only requires the URI of the site to check for a license violation.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.
Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.
Network Security, CS6262 Richard G. Personal Information Masquerading, Profiling, Snooping.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
CMPS 435 F08 These slides are designed to accompany Web Engineering: A Practitioner’s Approach (McGraw-Hill 2008) by Roger Pressman and David Lowe, copyright.
Semantic Clipboard User Interface is integrated in the Browser Architecture of the Semantic Clipboard Illustration of a license incompliant content reuse.
Validator Website to Validate URI License Violations Validator – Only requires the URI of the site to check A bad case of content reuse This work by Oshani.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Web Technologies Lecture 1 The Internet and HTTP.
Organisations and Data Management 1 Data Collection: Why organisations & individuals acquire data & supply data via websites 2Techniques used by organisations.
Web Server.
ShareNet Integrating Trust and Privacy policy Li Ding.
Towards a Software Architecture for DRM Joint work with Kristof Verslype, Wouter Joosen, and Bart De Decker DistriNet research.
File Transfer Services in the Context of SIP Based Communication Markus Isomäki draft-isomaki-sipping-file-transfer-00.
The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare.
Event-Based Model for Reconciling Digital Entities Ahmet Fatih Mustacoglu Ahmet E. Topcu Aurel Cami Geoffrey C. Fox Indiana University Computer Science.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Blogs How to use the bog safely and secure? Create new username. Create a strong password to your account. Create the password to your uploaded files.
CMPE 494 Service-Oriented Architectures and Web Services Platform for Privacy Preferences Project (P3P) İDRİS YILDIZ
Identity on the Internet
How HTTP Works Made by Manish Kushwaha.
Personal spaces.
Content from Python Docs.
Node.js Express Web Applications
Data and Applications Security Developments and Directions
Policy Aware Content Reuse on the Web
WEB API.
Pooja programmer,cse department
The World’s first Public Chain
Privacy and Digital Rights Management
Chinese wall model in the internet Environment
The Platform for Privacy Preferences Project
Cross Site Request Forgery (CSRF)
Presentation transcript:

HTTPA (Accountable Hyper Text Transfer Protocol) PhD Proposal Talk Oshani Seneviratne DIG, MIT CSAIL May 31, 2011

Problems Addressed

Personal Information on the Web Increasing amounts of personal information on the Social Web Often times there are unforeseen adverse consequences Users become victims of poor design choices: E.g. Facebook Beacon, Google Buzz, etc

Source:

Reuse of Creative Works Reuse is good, but unauthorized content use is bad How can you prove that someone has violated your usage restrictions?

User Behavior Tracking Across Websites

Proposed Solution

Web Ecosystem that supports Accountability Build an accountable protocol and applications that use it Evaluate the adoption and the usability of the protocol Provide a framework for information accountability within the context of Web Science research

Protocol Components

Authentication Access Control – Identifying the data consumer before serving data Tracking and Auditing – Association of data with the entity that accessed/used them Side Effect – HTTPA may not support anonymous access unless the data consumer uses the Provenance Tracker to hide her identity Use WebID for authentication

Usage Restriction Specification Initial Implementation of the protocol will use the RMP (Respect My Privacy) ontology May also use the PPO (Privacy Preference Ontology) Usage Restriction needs terms such as: – No cookies – No ownership transfer – No commercial use – No depiction – No employment use – No insurance use

Negotiation of Usage Restrictions and Intentions / Handshake Uses HTTP headers ‘usage-restrictions’ and ‘intentions’ Use ‘negotiate’ when the original usage restrictions and intentions do not match

Motivating Scenarios for the Handshake

Data Uploaded to Websites Specify usage restrictions on data that belongs to the user. – Creative works – Personal data Negotiate usage restrictions on the data uploaded to sites – Sites may have a terms that are not what the user wanted

Data Uploaded to Websites (I) POST picture Usage Restrictions: No Ownership Transfer HTTPA 412 Precondition Failed Intentions: Ownership Transfer POST picture

Data Uploaded to Websites (II) POST picture Usage Restrictions: No Ownership Transfer HTTPA 412 Precondition Failed Intentions: Ownership Transfer POST picture Negotiate: No Ownership Transfer HTTPA 204 No Content

Data Downloaded from Websites Usage restrictions are sent along with the data Smart clients help the user with proper (re)- usage

Data Downloaded from Websites HEAD Alice’s Photo Intentions: No-Commercial Usage Restrictions: No Ownership Transfer GET Alice’s Photo Intentions: No-Commercial, No Ownership Transfer HTTPA 200 OK Usage Aware Log: Log URI

Do Not Track Users can accept cookies or reject them when dealing with certain websites Usage restrictions are applied to the data collected on users and NOT on the data transferred from the website

Do Not Track: Accepting Cookies (I) HEAD /index.html HTTPA 200 OK Cookie1, Cookie2,… GET /index.html Intentions: No-Commercial, No-Employment HTTPA 200 OK Cookie1, Cookie2,… Data Content GET /index.html Cookie1, Cookie2,…

Do Not Track: Accepting Cookies (II) HEAD /index.html Usage Restrictions: No-Cookies HTTPA 412 Precondition Failed Intentions: Cookies? GET /index.html Intentions: No-Commercial, No-Employment HTTPA 200 OK Cookie1, Cookie2,… Data Content GET /index.html Cookie1, Cookie2,…

Do Not Track: Not Accepting Cookies (I) HEAD /index.html HTTPA 200 OK Cookie1, Cookie2,… GET /index.html Negotiate: No-cookies, No-Commercial, No-Employment HTTPA 200 OK Data Content

Do Not Track: Not Accepting Cookies (II) HEAD /index.html Intentions: No-Cookies HTTPA 200 OK Data Content

Protocol Components Contd.

Provenance Trackers Trusted intermediary – Determination of trust: Based on hierarchy Other means of trust to be investigated Stores the accountability logs Mechanism of communication within the Provenance Tracker Network TBD

Logging Accountability Logs – Available at the Provenance Trackers – Contains the details of the HTTPA transaction – Encrypted – Can only be read by protocol components Usage Aware Logs – Available at the Smart Client – Guides the Smart Client on reuse Data Provenance Logs – Available at the Smart Client – Keeps track of the subsequent modifications

Accountability Checking User can ‘complain’ about violations via the smart client Smart client requests for a provenance trail from the provenance tracker network Provenance Trackers communicate with each other and provides a proof with: – URIs of subsequent derivatives – Usage restrictions attached at each reuse/modification/transmission – Identity of the violator

Related Work

P3P Source:

Project DReaM DRM everywhere/available Plans on providing an interoperable DRM architecture Interface allows to assert fair use Has an identity management focus

Timeline

Expected Contributions Development of a protocol that will change the way users access and use data on the web Evaluation of user behavior with smart clients that help them – improve decision making when disclosing private data – reuse content properly – find out who may have violated their usage restrictions Recommendations for future accountability research

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.