Here are my papers and ideas on web security, with a particular emphasis on web browsers. However, most of them are now rather old. I work on CA stuff for Mozilla, and most of the thinking and writing I do in this area is now in that context.
- Firefox and Self-Signed Certs - a defence of the Firefox certificate UI.
- A Plan For Scams - a summary of the work that needs doing to protect Internet users from phishing.
- Improving Authentication On The Internet - another paper analysing the phishing threat, and looking at current technologies in terms of privacy, validation and authentication.
- Staying Safe From Phishing With Firefox - my "spec" for Firefox's anti-phishing efforts.
- Phishing - Browser-based Defences - a survey of possible changes to browsers to better protect against phishing. It contains two key ideas:
- Content Restrictions - mitigate XSS attacks by allowing sites to specify the capabilities script on their pages should have. Many of the ideas from this have found their way into CSP.
- Script Keys - mitigate XSS attacks by allowing sites to specify which scripts on their pages should run. This idea also eventually made its way into CSP.
- Link Fingerprints - ensure a downloaded file is the exact required version by embedding a checksum in the link to it.