• On-Site Registration Opens:
    30 November 2008

  • Awards Luncheon:
    1 December 2008

  • Exhibit Opening & 
    Welcome Reception:
    1 December 2008





Win Prizes
T10: Web Security

Presenter: Thomas Chen, Southern Methodist University


The World Wide Web has become such a predominant Internet application that many in the public think that the Web is the Internet. The Web has certainly evolved far from browsing static HTML pages. The Web is now used for e-mail, shopping, banking, socializing, multimedia entertainment, and even replacing traditional desktop office applications. The Web's apparent ease of use can mislead some users into a false sense of security. A Web browser is a complex software program with many capabilities, which can be used to open various avenues of attack. For example, a malicious Web site might download malicious software or deceive a user into disclosing private information. A malicious script might exploit a browser vulnerability to take over a user's computer. A Web site might install a cookie to monitor a user's browsing habits. Besides risks to Web clients, Web servers are popular targets for attacks. A compromised server could disclose private personal data, or be used as a platform to launch attacks.

This tutorial aims to raise awareness of the many security risks related to the Web. The first part gives an overview of Web protocols and technologies, including DNS, HTTP, SHTTP, SSL, Java, Javascript, ActiveX, and AJAX. The second part of the tutorial focuses on the security of Web servers. We give an overview of possible attacks on Web servers and current practices to strengthen servers against attacks. The third part of the tutorial addresses attacks on the Web client (browser). Many attacks on the user attempt social engineering, malicious downloads, data theft, or exploits of software vulnerabilities. For social engineering, we describe defenses against phishing attacks. For malicious software, we describe the limitations deliberately placed on Java, Javascript, and ActiveX for security. Additional defenses include antivirus, firewalls, and intrusion detection systems. The last part of the tutorial describes current trends and open issues in Web security that merit attention from researchers and system administrators.


Thomas M. Chen is a professor in networking at the Institute of Advanced Telecommunications (IAT) at Swansea University, Wales, UK, since May 2008. From 1997 to 2008, he was an associate professor in the Department of Electrical Engineering at Southern Methodist University in Dallas, Texas. He was formerly editor-in-chief of IEEE Communications Magazine (2006-2007) and founding editor-in-chief of IEEE Communications Surveys, and currently serves as a senior technical editor for IEEE Network, senior technical editor for IEEE Communications Magazine, editor for IEEE Press, editor for Journal of Security and Communication Networks, editor for International Journal on Security and Networks, and editor for International Journal of Digital Crime and Forensics. He is the co-author of ATM Switching Systems (Artech House, 1995) and co-editor of Broadband Mobile Multimedia: Techniques and Applications (CRC Press, 2008). He received the IEEE Communications SocietyÕs Fred Ellersick best paper award in 1996.