The web is replete with “widgets” embedded into sites but hosted by external parties (witness: Google Maps, Facebook Social Plugins). Some of the best uses of these widgets require the various widgets to communicate with the embedding site or even with each other. Without a secure communication channel, though, these widgets can expose sensitive information or capabilities to malicious parties eavesdropping, spoofing, or manipulating that communication.<\/p>\n
window.postMessage() [1] gives modern browsers a secure and convenient communication channel. Unfortunately, a significant portion of internet users are browsing with non-modern browsers [2].<\/p>\n
The traditional method of communicating between iframes is via updating the target frame’s URL fragment (a.k.a. #hash). This method can be made secure, but naive implementations (of which there are legion) are open to spoofing and eavesdropping.<\/p>\n
This talk will describe the Needham-Schroeder-Lowe protocol, a well-known security protocol, and show the protocol’s ability to secure the traditional #hash communication channel against spoofing and eavesdropping attacks.<\/p>\n
The information in this talk is based on research by Adam Barth, Collin Jackson, and John C. Mitchell of Standford University’s Web Security Group [3].<\/p>\n
[1] http:\/\/www.whatwg.org\/specs\/web-apps\/current-work\/multipage\/comms.html<\/a>
\n[2] A brief flip through Wikipedia suggests about 10% of the web browsing population uses Internet Explorer 6 or 7.
\n[3] http:\/\/seclab.stanford.edu\/websec\/frames\/post-message.pdf<\/a><\/p>\n