The Internet is a major distribution platform for
web applications, but there are no effective transparency and
audit mechanisms in place for the web. Due to the ephemeral
nature of web applications, a client visiting a website has no
guarantee that the code it receives today is the same as yesterday,
or the same as other visitors receive. Despite advances in web
security, it is thus challenging to audit web applications before
they are rendered in the browser. We propose Accountable JS,
a browser extension and opt-in protocol for accountable delivery
of active content on a web page. We prototype our protocol,
formally model its security properties with the TAMARIN Prover,
and evaluate its compatibility and performance impact with case
studies including WhatsApp Web, AdSense and Nimiq.
Accountability is beginning to be deployed at scale, with
Meta’s recent announcement of Code Verify available to all 2
billion WhatsApp users, but there has been little formal analysis
of such protocols. We formally model Code Verify using the
TAMARIN Prover and compare its properties to our Accountable
JS protocol. We also compare Code Verify’s and Accountable JS
extension’s performance impacts on WhatsApp Web.
History
Preferred Citation
Ilkan Esiyok, Pascal Berrang, Katriel Cohn-Gordon and Robert Künnemann. Accountable Javascript Code Delivery. In: Network and Distributed System Security Symposium (NDSS). 2023.
Primary Research Area
Algorithmic Foundations and Cryptography
Name of Conference
Network and Distributed System Security Symposium (NDSS)
Legacy Posted Date
2023-03-23
Open Access Type
Green
BibTeX
@inproceedings{cispa_all_3919,
title = "Accountable Javascript Code Delivery",
author = "Esiyok, Ilkan and Berrang, Pascal and Cohn-Gordon, Katriel and Künnemann, Robert",
booktitle="{Network and Distributed System Security Symposium (NDSS)}",
year="2023",
}