Security

Here are my papers and ideas on web security, with a particular emphasis on web browsers.

Phishing

A Plan For Scams - a summary of the work that needs doing to protect Internet users from phishing.
Improving Authentication On The Internet - another paper analysing the phishing threat, and looking at current technologies in terms of privacy, validation and authentication.
Staying Safe From Phishing With Firefox - my "spec" for Firefox's anti-phishing efforts.
Phishing - Browser-based Defences - a survey of possible changes to browsers to better protect against phishing. It contains two key ideas:
- New Site - show users if they've visited a particular SSL site before.
- Phish Finder - discussion of the mechanisms and heuristics for an in-browser phishing site detector.

Content Restrictions - mitigate XSS attacks by allowing sites to specify the capabilities script on their pages should have.
Script Keys - mitigate XSS attacks by allowing sites to specify which scripts on their pages should run.

Link Fingerprints - ensure a downloaded file is the exact required version by embedding a checksum in the link to it.