In this 54-minute video presentation, Brad Karp of University College London talks about “safeguarding users’ sensitive data in the cloud and the browser.” The title is very inviting to those who want to know how to protect sensitive data. Today, the use of cloud services has become quite prevalent and many new applications have evolved that combine information from multiple sources to benefit the user. Along the way, the application needs access to the customer’s sensitive data. At the outset, Karp emphasizes how the performance of systems cannot be a tradeoff for privacy. He shows a chart of vulnerabilities over the years. This chart shows that vulnerabilities have been steadily increasing. He comments that it is like how people are more aware of cancer today because of the different avenues in which this topic is discussed. It does not mean that there is more cancer today than before. In his talk, he points out that in order to reduce privileged code, one has to reduce the attack surface. He continues with a discussion of privacy on the client-side. He amplifies his remark that web pages of the past have evolved into web applications by showing a practical application in use today and how it requires users to share their login credentials with the site in order for the app to gather the relevant data. He points out through some high-level descriptions how one need not share sensitive credentials with others; the site would be able to gain the functionality it needs by other means. In this regard, he points out how his group of researchers has developed a new standard that is now in the comment phase, and how it is developing sample implementations of its code in order for browser developers to see the value of its approach. His main emphasis in this regard is confinement, which is a way for a browser to prevent an application that gathers sensitive data from one site from sharing it with any other site. This approach supports both flexibility and privacy. He concludes the talk with two opportunities for creating secure enclaves.
I was impressed with the code size comparison and the code developed to implement this new approach to protecting sensitive data. The use of a popular application shows how the application is trusted now by users and how its functionality could be used without having access to sensitive user credentials. The details are still in the demonstration stage and it has not become a World Wide Web Consortium (W3C) standard, but the process is ongoing.