Stanford Security Lunch Fall 2008

Speaker Schedule

• Speaker: Collin Jackson
• Title: Robust Defenses for Cross-Site Request Forgery
  
• Abstract: Cross-Site Request Forgery (CSRF) is a widely exploited web site
  vulnerability, but none of the three major CSRF defenses are
  satisfactory and many web sites neglect to prevent login CSRF. In a
  login CSRF attack, an attacker uses the victim's browser to forge a
  cross-site request to the honest site's login URL, supplying the
  attacker's user name and password. This forged request can disrupt the
  integrity of the session and enable theft of confidential information.
  
  Although the HTTP "Referer" header could be used as an effective
  general CSRF defense, our experiments indicate that the header is
  widely blocked at the network layer due to privacy concerns. Our
  experimental data shows, however, that the header can be used today as
  a reliable CSRF defense over HTTPS, which is ideal for login CSRF
  prevention. For the long term, we propose and implement the Origin
  header, which provides the security benefits of the Referer header
  while responding to privacy concerns. We also discuss defenses for
  session initialization attacks and "clickjacking."
• Joint work with: Adam Barth and John C. Mitchell.
  

• Speaker: Peifung Eric Lam
• Title: Introduction to OpenID and Information Cards
  
• Abstract:This talk provides an introduction to the OpenID security protocol and the Information Card identity system. OpenID is a single sign-on
  protocol that is gaining some popularity on the Internet, particularly
  on blogging sites. Information Card is a way of representing identities
  using digital photo identity cards, and has gained support in certain
  corporations and open source communities. This talk will focus on the
  architectural components of these technologies.