Google Tech Talks
March, 10 2008
Web content has shifted from simple documents to active programs, but
web protocols and browsers have not evolved adequately to support them.
As a result, safety problems in web sites and web browsers now
regularly make headlines, from browser exploits to ISPs that modify web
pages. In this talk, I will discuss my research into improving the
security and reliability of web content and browsers.
For most of this talk, I will focus on one particular problem: the
ability for intermediaries to modify web content in-flight. Our recent
measurement study shows that many clients now receive web pages that
have been altered before reaching the browser. The changes range from
injected advertisements to popup blocking code to malware, often
affecting the user’s privacy and security. Some of these changes
introduce bugs and even vulnerabilities into the pages they modify.
Most sites are unwilling to switch to SSL for reasons of cost and
performance, so I will show how web servers can use “web tripwires” to
After this, I will talk more broadly about my research on web browser
security, focusing on the deficiencies of today’s web as an application
platform. Starting from my prior work on BrowserShield, I will show how
we need a safer architecture for running programs within the browser.
Like an operating system, this new architecture will need effective
mechanisms to define, isolate, and enforce policies on these web programs.
Speaker: Charles Reis
Charles Reis is a PhD student in the Department of Computer Science &
Engineering at the University of Washington, studying with Steve Gribble
and Hank Levy. His current research focuses on improving the security
and reliability of web content and web browsers. In the past, he has
also worked on models of wireless interference with David Wetherall.
Charles received a B.A. and an M.S. in Computer Science from Rice
University, where he worked with Corky Cartwright and Peter Druschel.
At Rice, Charles was the second lead developer for DrJava, a widely used
educational programming environment.