Category Archives: Technology

Browser Side Cryptography

I talked about browser based security last week. As we have more and more cloud or web delivered applications, the browser is playing an important role. Most (if not all) user interaction in browser are programmed via javascript. With Cloud Computing, client side script will be playing a ever more important role.

The data security and data privacy concerns on using cloud services or hosted application (like web email) is holding people. The incident in Paula Broadwell showed law enforcement agents had far move power and means to access individual data than we think of. If you like to understand the legal framework on this, there is a very good paper wrote by three Netherlands legal researcher.

Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act


One way, user could protect their data ever if it in the cloud is using client side encryption. Why client side? It is because the data must be protected before it is going to the Internet. This means that data are encrypted at the client and the servers only store encrypted data. When the user want to use it, the servers send the encrypted data and the client decrypt it. As most user are access the internet using a browser, it it an obvious choice for doing the data encrypt/decrypt job. However, cryptography functions are not well developed in the javascript domain. There are some open source editions like Google-CryptoJS.

W3C has a working group on Web Cryptography and they is developing a library standard for JS cryptography.  Below are some user cases, for how the new Web Cryptography API is designed for


Browser based website security control

Since I moved from an internal IT Risk manager to a security consulting firm, I have been involving in different discussions on web application security. These experiences made me think that browsers are not a security software and its design has little security consideration. Missing security features in browser is one of the root cause for today’s cybercrime.

There were some new developments in the browser domain that trying to address the root cause. Developers for PayPal, Mozilla and Microsoft develop three new browser-based security controls:

  1. Content Security Policy (CSP)
  2. HTTP Strict Transport Security
  3. Frame Options

These are IMPORTANT security features and once enabled will stop most XSS attacks. However, these security features need both server and client side implementations in order to utilize the protections. Not all browsers support these new features! Only Firefox 4 and IE10 support.

The Australia Department of Defense published a comprehensive and user-friendly document on these features. It is a must read for all web developers.

Technical guidance for improving web application security through implementing web browser based mitigation

To test if your browser supports Content Security Policy, we could to go Internet Storm Centre. If you only see one Javascript popup, your browser supports CSP. Recently, a security firm Recx Ltd created a Chrome extension that analyse web pages security features. It check the HTTP-headers and cookie settings against best practices, then shows the result in a simple and directly way. I installed it on Chrome and used it to test on some websites. The first is HKCERT, where a few of my friends are working there. I am sure they do not mind to demonstrate web security implementations.

Although there are still some room to improve, they are doing a very good job when comparing with a HK online banking website (shown on right hand side).

web page security

To cloud or not to cloud ?

If you ask the above question to the various cloud services providers, I am sure their answers are “Definite yes”.

If you ask the same question to end users, their answers may end up like “I really don’t care.”. And for the question again to business owners, their answers will probably are “May-be’s” because seriously no one really reveals all the cloud benefits, implementation pros and cons to them.

To IT professionals, however, we will probably provide a vague answer – “It depends.”. The long form of the answer is – “It depends on the maturity of the cloud market, technology and whether the solution available today can match your budget, quality requirements, and expected service level. More importantly, whether cloud technology and solutions can help your company to improve competitive advantage.”

That’s exactly what Cloud Security Alliance (CSA) and Information Systems Audit and Control Association (ISACA) did in a recent survey to answer part of the question – what is the maturity of the cloud technology and market, now ? A collaborative project by CSA and ISACA , the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing.

The study also reveals that cloud users in 50 countries were least confident about the following issues (ranked from least confident to most confident):

  1. Government regulations keeping pace with the market (1.80)
  2. Exit strategies (1.88)
  3. International data privacy (1.90)
  4. Legal issues (2.15)
  5. Contract lock in (2.18)
  6. Data ownership and custodian responsibilities (2.18)
  7. Longevity of suppliers (2.20)
  8. Integration of cloud with internal systems (2.23)
  9. Credibility of suppliers (2.30)
  10. Testing and assurance (2.30)

None of these findings are really a surprise, I suppose, however it is important to conduct such project because it helps us to understand how the cloud market will change over time, and how it advances from infancy to full maturity.

Do check out the press release and the full report to understand more about the findings, or you can check out the following infographics – the whole report in one picture.

Privacy enhancing technologies 10 years later

For my first post, i’d like to discuss privacy enhancing technologies.

When i was a fresh out of graduate school, i joined a start up called “zero-knowledge systems”. This being in the middle of the dot com boom, they had 300+ employees, great parties and essentially no revenues! Beyond the hype and fluff, we created truly innovative solutions to protect online privacy. Their main product was essentially a “mix-net” somewhat like “tor” that masked the users’ ip addresses. I was in what they called the “evil genius” team and working on future products. I was fortunate to work on privacy enhancing credentials based on the work of stefan brands. This technology is awesome (and now belongs to microsoft) it allowed one to show certificate properties without divulging anything else (even with collusion of the verifier and the certificate issuer) – this is highly counter-intuitive. Using these mathematical tricks, we could develop electronic cash that had properties that were almost identical to physical cash – it was impossible to determine who had owned the cash before the current transaction. This was very exciting stuff at the time.

Despite their amazing potential, these technologies have not really hit the main stream. Privacy seems to be the realm of lawyers and regulators nowadays. Back in 2000, we did not think things would evolve this way. The internet has changed since then with google, facebook, etc. however i persist to believe that privacy enhancing technologies can more easily solve many of the privacy issues we are dealing with today…

Perhaps, just like mobile payments that are just now starting to take off after being feasible for 10+ years, privacy enhancing technologies should be revisited… The business cases did not fly back then, perhaps they would today.

Looking forward to hearing your views. I also understand that there are huge variations in how people perceive privacy in different cultures. Perhaps a more fundamental question is whether in the age of facebook we even care strongly about privacy?


Warning: my career has taken many twists and turns and i have not worked on this for several years and may not have the most up to date information.