Web-platform security guide: Security assessment of the Web ecosystem

In this document, we report on the Web-platform security guide, which has been developed within the EC-FP7 project STREWS. Based on their research, the STREWS consortium argues that in order to strengthening the Internet (e.g. against pervasive monitoring), it is crucial to also strengthen the web application ecosystem, the de-facto Internet application platform. The Web security guide is the result of a broad security assessment of the current situation on the Web1. It looks at the Web ecosystem and provides a timely and comprehensive web security overview. It was written by the STREWS Consortium, that brings together a unique set of expertise in Europe to grasp the complexity of the Web platform and its security characteristics. It is unique because it brings together strong peers in academic web security research in Europe, a large European software vendor, and principal actors in standardisation activities in W3C and IETF, the predominant specification developing organisations for the Web. The Web platform security guide consists of four parts, and looks as follows: 1) The first part gives a comprehensive overview of the current Web and the expected developments in the near future. 2) Based on the understanding of the Web ecosystem in the first part, the second part captures the breadth and complexity of the Web security vulnerability landscape. It describes the Web assets that are worth attacking and lists the capabilities attackers may have at their disposition and discusses the commonly-used attacker models. 3) In the third part, the twenty most representative attack techniques are discussed and analyzed, grouped in seven high-level threat categories. The guide presents and discusses the latest state-of-theart, both from a research perspective as well as from a standardization perspective. Moreover, the guide provides a catalogue of best practices designed to mitigate the threats discussed, and to gradually improve the trustworthiness of web-enabled services. 4) Part four gives the full Web security threat landscape as an overview, indicates upcoming challenges resulting from the change of the web ecosystem and hints at some interesting opportunities for future research. In the following paragraphs, we briefly highlight the most important contributions and key takeaways for each part. 1The Web-platform security guide can freely be downloaded at http://www. strews.eu/results/5-web-platform-security-guide PART I: FOUNDATIONS OF THE WEB PLATFORM In the first part of the guide, we briefly recap and discuss the foundations of the Web ecosystem. The goal of this first part is to provide the reader with a basic understanding of the Web ecosystem, needed to understand the security assessment. Over the last 25 years, the Web ecosystem went through a series of technological waves (as depicted in Figure 1), enriching the platform to the current level where it provides an attractive alternative to stand-alone applications (or even replacing the operating system itself). Evolutions in the Web platform include richer presentation capabilities (e.g., graphics, style sheets and multimedia tags), client-side state (cookies and storage), client-side interactivity (JavaScript, the DOM and a rich set of JavaScript APIs), as well as rich Internet Applications (such as Flash, ActiveX and Silverlight). User (Browser) Web Server HTTP Transfer protocol