Ilkan Esiyok (CISPA Helmholtz Center for Information Security), Pascal Berrang (University of Birmingham & Nimiq), Katriel Cohn-Gordon (Meta), Robert Künnemann (CISPA Helmholtz Center for Information Security)

The Internet is a major distribution platform for web applications, but there are
no effective transparency and audit mechanisms in place for the web. Due to the ephemeral nature
of web applications, a client visiting a website has no guarantee that the
code it receives today is the same as yesterday, or the same as other visitors
receive. Despite advances in web security, it is thus challenging to audit
web applications before they are rendered in the browser. We propose
Accountable JS, a browser extension and opt-in protocol for accountable
delivery of active content on a web page. We prototype our protocol,
formally model its security properties with the Tamarin Prover, and
evaluate its compatibility and performance impact with case studies
including WhatsApp Web, AdSense and Nimiq.

Accountability is beginning to be deployed at scale, with Meta’s recent announcement of Code Verify
available to all 2 billion WhatsApp users, but there has been little formal analysis of such protocols.
We formally model Code Verify using the Tamarin Prover and compare its properties to our Accountable JS protocol. We also compare Code Verify’s and Accountable JS extension's performance impacts on WhatsApp Web.

View More Papers

Evasion Attacks and Defenses on Smart Home Physical Event...

Muslum Ozgur Ozmen (Purdue University), Ruoyu Song (Purdue University), Habiba Farrukh (Purdue University), Z. Berkay Celik (Purdue University)

Read More

Fusion: Efficient and Secure Inference Resilient to Malicious Servers

Caiqin Dong (Jinan University), Jian Weng (Jinan University), Jia-Nan Liu (Jinan University), Yue Zhang (Jinan University), Yao Tong (Guangzhou Fongwell...

Read More

Do Privacy Labels Answer Users' Privacy Questions?

Shikun Zhang, Norman Sadeh (Carnegie Mellon University)

Read More

Breaking and Fixing Virtual Channels: Domino Attack and Donner

Lukas Aumayr (TU Wien), Pedro Moreno-Sanchez (IMDEA Software Institute), Aniket Kate (Purdue University / Supra), Matteo Maffei (Christian Doppler Laboratory...

Read More