Paper i proceeding, 2013

The HTTP and HTTPS protocols are the corner stones of the modern web. From a security point of view, they offer an all-or- nothing choice to web applications: either no security guarantees with HTTP or both confidentiality and integrity with HTTPS. How- ever, in many scenarios confidentiality is not necessary and even undesired, while integrity is essential to prevent attackers from compromising the data stream. We propose GlassTube, a lightweight approach to web application integrity. GlassTube guarantees integrity at application level, without resorting to the heavyweight HTTPS protocol. GlassTube prevents man-in-the-middle attacks and provides a general method for integrity in web applications and smartphone apps. GlassTube is easily deployed in the form of a library on the server side, and offers flexible deployment options on the client side: from dynamic code distribution, which requires no modification of the browser, to browser plugin and smartphone app, which allow smooth key predistribution. The results of a case study with a web-based chat indicate a boost in the performance compared to HTTPS, achieved with no optimization efforts.

Web application security

Application-level security policies

Data integrity

Lightweight enforcement


Per Hallgren

Chalmers, Data- och informationsteknik, Nätverk och system

Daniel T. Mauritzson

Ericsson AB

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Programvaruteknik

PLAS '13 (ACM SIGPLAN workshop on Programming languages and analysis for security). Seattle , WA, USA. June 16-19, 2013

Vol. 8 71-82
978-1-4503-2144-0 (ISBN)


Informations- och kommunikationsteknik







Mer information

Senast uppdaterat