Browser evolution and web security

Abstract

The Web is the largest platform in the world. It has the powerful advantages of being accessible everywhere and easily searchable without installation. To cope with such widespread adoption, the Web is rapidly evolving, absorbing new technologies that were not initially designed. This dissertation aims to explore the security implications of emerging Web technologies and make browsing environments more secure without hindering the evolution of the Web. To this end, we focus on two recent Web technologies, Progressive Web App and WebVR. A Progressive Web App (PWA) is a new generation of Web applications designed to provide native app-like browsing experiences. It provides native app features such as push notification and offline mode to the Web by using a background execution component called Service Worker. WebVR is a new technology that enables Virtual Reality (VR) on the Web, providing websites with interfaces to manage VR peripherals (e.g., HMDs, controllers) and render VR content thus enabling an immersive 3D experience on the Web. However, there are situations in which the emerging technologies are confronted with the conventional Web safety principles, thereby undermining Web security. For instance, the new execution pattern of PWAs (e.g., background execution) obscures the underlying property of the Web in which users could easily recognize the currently running site. Furthermore, the Web's sandboxing technique which securely executes multiple sources in 2D space is not simply applied to 3D space, making it difficult to provide isolated rendering execution contexts between multiple sources in the WebVR environment. Based on these observations, we first introduce new phishing threats exploiting the difficulties in identifying the source of running PWAs and demonstrate how users' sensitive information (e.g., browsing history) can be leaked. We also present a cryptojacking attack that covertly hijacks users' computing resources from visited PWAs. Second, we introduce four new advertising fraud attacks unique to WebVR by assuming a malicious advertising provider and propose a defense solution that can safely render multi-origin resources in a 3D world. In this way, we show that conducting in-depth investigations of the risks on emerging Web technologies and presenting practical countermeasures can help provide a secure Web browsing environment.