University of British Columbia
Towards Web 2.0 Content Sharing Beyond Walled Gardens
San-Tsai SunSupervisor: Kosta Beznosov
Laboratory for Education and Research in Secure Systems Engineering (LERSSE) University of British Columbia
practical problem
2
lack of usable mechanisms for secure Web 2.0 user content sharing across content and service
providers (CSPs)
content sharing scenario
3
CCA scouts only
Colonial Coast Adventures (CCA)Girl Scouts
Alice Jenny
Picasa WebAlice’s CCA scout friends in Picasa Web
question
4
• how to enable useful sharing of Web 2.0 content across CSPs?
• can existing technologies enable this type of sharing?
secret-link approach
5
AlicePicasa Web
Jenny
http://picasaweb.google.com/Alice?authkey=Gv1sRgCOzuv
usable for Web users easy to implement by CSPs
Alice does not have control over Jenny’s sharing of secret link with othersAlice has to know Jenny’s email
secret-link
design goals• content sharing useful for average users• user-centric, i.e., access policy and identity
follow the user• only use browser, no special software or
crypto on the user computer• CSPs
– separation of content hosting and content sharing– not required to change their existing access-
control mechanism
6
approach• OpenIDemail extension [1] to enable OpenID IdPs
to use email as an alternative identifier– www.alo.com/santsai vs. [email protected]
• policy hosting service– role-based trust-management policy language (RT)
for credentials and policies [2] – distributed membership and containment queries
7
[1] B. Adida, “EmID: Web authentication by email address,” in The Proceedings of Web 2.0 Security and Privacy Workshop 2008, Oakland, California, USA, 2008.
[2] N. Li, J. C. Mitchell, and W. H. Winsborough, “Design of a role-based trust-management framework,” in SP ’02 Proceedings of the 2002 IEEE Symposium on Security and Privacy, 2002
sharing scenario
8
CCA
AlicePicasa Web
policy service Gmail
[email protected] [email protected]
CCA.scout [email protected]
CCA.scout [email protected]
CCA.scout [email protected]
policy service Yahoo
secret-link, [email protected]
memberships
secret-link
access scenario
9
Picasa Web
policy service Gmail
[email protected] [email protected]
CCACCA.scout [email protected]
CCA.scout [email protected]
CCA.scout [email protected]
policy service Yahoo
[email protected], [email protected]
containment
Jenny
secret-link
OpenIDemail
AOL
yes/no
content sharing scenario 2
10
CCA scouts and their parents only
Colonial Coast Adventures (CCA)Girl Scouts
MaryAlice Jenny
Picasa WebAlice’s scout friends in Picasa Web
sharing scenario 2
11
CCA
Alice
Picasa
policy service Gmail
[email protected] [email protected]
[email protected]_parent [email protected]
CCA.scout [email protected]
CCA.scout [email protected]
CCA.scout [email protected]
policy service Yahoo
[email protected]_parent
[email protected]@gamil.com.scout_parent
Jenny
policy serviceAOL
[email protected] [email protected]
[email protected]_parent [email protected]
access scenario 2
12
Picasa
CCACCA.scout [email protected]
CCA.scout [email protected]
CCA.scout [email protected]
policy service Yahoo
[email protected]_parent ,[email protected]
memberships
secret-link
yes/no
policy serviceAOL
[email protected] [email protected]
[email protected]@gamil.com.scout_parent
cont
ainm
ent
Jenny
secret-link
Mary
policy service Gmail
progress up-to-date
• protocols/algorithms for distributed memberships and containment queries
• preliminary prototype• initial performance evaluation
13
open questions• what is the expressiveness of sharing control
that users need?• how to design useable interface for controlled
sharing?• how to limit transitive trust?
– A trusts B B trusts C A trusts C• how to preserve the confidentiality of
credentials and policies?– CCA does not want everybody to know email
addresses of its scouts14
future work
• investigate user needs in controlled sharing • design user interface• evaluate usability • investigate an approach for limiting transitive
trust• preserve the confidentiality of credentials and
policies• investigate phishing/spam prevention• improve performance
15
San-Tsai Sun <[email protected]>
16
San-Tsai Sun and Konstantin Beznosov. Open problems in Web 2.0 user content sharing. Presented at iNetSec Workshop, April 23th 2009.
San-Tsai Sun, Kirstie Hawkey, and Konstantin Beznosov. Towards enabling web 2.0 content sharing beyond walled gardens. To be presented at the Workshop on Security and Privacy in Online Social Networking, August 29th 2009