TL;DR
WAIT enhances web application security by enabling browsers to verify client-side code integrity through publicly verifiable logs, increasing transparency and accountability against malicious modifications.
Contribution
The paper introduces WAIT, a novel system that makes client-side web application modifications transparent and verifiable, addressing a gap in existing security mechanisms.
Findings
Browser extensions enable local integrity validation.
Web servers include a custom HTTP header for transparency.
Verifiable logs allow browsers to detect undisclosed modifications.
Abstract
Modern single page web applications require client-side executions of application logic, including critical functionality such as client-side cryptography. Existing mechanisms such as TLS and Subresource Integrity secure the communication and provide external resource integrity. However, the browser is unaware of modifications to the client-side application as provided by the server and the user remains vulnerable against malicious modifications carried out on the server side. Our solution makes such modifications transparent and empowers the browser to validate the integrity of a web application based on a publicly verifiable log. Our Web Application Integrity Transparency (WAIT) approach requires (1) an extension for browsers for local integrity validations, (2) a custom HTTP header for web servers that host the application, and (3) public log servers that serve the verifiable logs.…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
