Securing Web Inputs Using Parallel Session Attachments

Web applications have become a cornerstone of the critical cyber infrastructure powering our daily life. Untrusted browser environments, such as public computers and browsers with untrusted extensions, may expose sensitive data in web applications to attackers. One way to protect sensitive data in web sessions is to isolate it using a trusted environment, such as a trusted mobile phone. However, existing solutions either require modifications of web applications to incorporate the trusted environment, or require developers to manually pre-label sensitive data. To address these issues, we propose,WebTeleporter, a lightweight framework to protect users’ sensitive input through a trusted mobile environment. It attaches to the original web session an independent secure parallel session that isolates sensitive input without any change to web applications.WebTeleporteris highly flexible, such that users can choose to opt in to the secure environment at any time, and choose sensitive input to protect on demand. Our evaluation demonstrates thatWebTeleporteris compatible with 11 popular web applications and frameworks. It can protect 99% of pages that contain sensitive input. It takes low overhead to deployWebTeleporter, which is a one-time effort for various applications.WebTeleporterintroduces negligible performance overhead, i.e., 13.9% increase in loading time, and 0.37% decrease in throughput.