PrivacyNew Web privacy system would revolutionize surfing safety
Scientists have built a new system that protects Internet users’ privacy while increasing the flexibility for Web developers to build Web applications that combine data from different Web sites, dramatically improving the safety of surfing the Web. The system, “Confinement with Origin Web Labels,” or COWL, works with Mozilla’s Firefox and the open-source version of Google’s Chrome Web browsers and prevents malicious code in a Web site from leaking sensitive information to unauthorized parties, while allowing code in a Web site to display content drawn from multiple Web sites — an essential function for modern, feature-rich Web applications.
Scientists from University College London (UCL), Stanford Engineering, Google, Chalmers, and Mozilla Research have built a new system that protects Internet users’ privacy while increasing the flexibility for Web developers to build Web applications that combine data from different Web sites, dramatically improving the safety of surfing the Web.
The system, “Confinement with Origin Web Labels,” or COWL, works with Mozilla’s Firefox and the open-source version of Google’s Chrome Web browsers and prevents malicious code in a Web site from leaking sensitive information to unauthorized parties, while allowing code in a Web site to display content drawn from multiple Web sites — an essential function for modern, feature-rich Web applications.
A UCL release reports that testing of COWL prototypes for the Chrome and Firefox Web browsers shows the system provides strong security without perceptibly slowing the loading speed of Web pages.
Following its announcement today, COWL will be freely available for download and use on 15 October from http://cowl.ws. The team which developed it, including two Ph.D. students from Stanford (working in collaboration with Mozilla Research) and a recently graduated Ph.D. from UCL (now employed by Google), hope COWL will be widely adopted by Web developers.
Currently, Web users’ privacy can be compromised by malicious JavaScript code hidden in seemingly legitimate Web sites. The Web site’s operator may have incorporated code obtained elsewhere into his or her Web site without realizing that the code contains bugs or is malicious. Such code can access sensitive data within the same or other browser tabs, allowing unauthorized parties to obtain or modify data without the user’s knowledge.
The research team describe COWL in a paper published in the proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSD14).
Co-author Professor Brad Karp (UCL Computer Science) said: “COWL achieves both privacy for the user and flexibility for the Web application developer. Achieving both these aims, which are often in opposition in many system designs, is one of the central challenges in computer systems security research.
“The new system provides a property known as ‘confinement’ which has been known since the 1970s, but proven difficult to achieve in practical systems like Web browsers. COWL confines JavaScript programs that run within the browser, such as in separate tabs. If a JavaScript program embedded within one Web site reads information provided by another Web site — legitimately or otherwise — COWL permits the data to be shared, but
