Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

WEB BROWSER PLUGIN SECURITY

IP.com Disclosure Number: IPCOM000247996D
Publication Date: 2016-Oct-14
Document File: 5 page(s) / 807K

Publishing Venue

The IP.com Prior Art Database

Related People

Yoav Glazner: AUTHOR [+2]

Abstract

Presented herein is a solution for enabling a plugin safe zone for protection from malicious plugins and to provide a more secure web access. A new plugin is created, which establishes the safe zone. Sensitive information is shown only in the safe zone. The data is sent from the website to the plugin safe zone without being exposed to the other plugins that might be installed on the same browser. The safe zone enables the creation of a trusted execution environment (TEE).

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 5

WEB BROWSER PLUGIN SECURITY

AUTHORS:

Yoav Glazner

Amitay Stern

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein is a solution for enabling a plugin safe zone for protection from malicious plugins and to provide a more secure web access. A new plugin is created, which establishes the safe zone. Sensitive information is shown only in the safe zone. The data is sent from the website to the plugin safe zone without being exposed to the other plugins that might be installed on the same browser. The safe zone enables the creation of a trusted execution environment (TEE).

DETAILED DESCRIPTION

     Currently, most web users install plugins on their web browser. Most plugins have access to the document object model (DOM) elements of the web page. This constitutes a security risk because the plugins have access to two types of data:


1. Data sent from the users to the website (e.g., the user's password).

2. Data, sent from the server to the user, which is shown in the webpage and may be sensitive.

    Although plugins could be reviewed by the browser developers (for example, Google for Chrome extensions and Mozilla for Firefox add-ons), it is difficult to distinguish between a plugin's legitimate and illegitimate behavior. In fact, plugins have been banned long after they initially became active.

    While browser plugins have access to the content of the webpage itself, they do not have access to the content of other browser plugins. Presented herein is a new plugin

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 5

that establishes a safe zone. Sensitive information is shown only in this zone. Sensitive information may include selected parts of the webpage (for example, password fields) or the entire webpage (e.g., if it is desired to secure content of the entire webpage).

    Data is sent from the website to the safe zone plugin (SZP) without being exposed to the other plugins that might be installed on the same browser. This can be accomplished by one or more of the following methods:


• The data is sent directly from the website to the SZP, without going through the webpage.


• The data is sent encrypted to the webpage, then the SZP decrypts the data and shows it in the safe zone.

    The website's server sends and receives data only to/from the SZP, thus guaranteeing the confidentiality of its own data. Also, in order to prevent other plugins from using the same methods and acquiring c...