Send email Copy Email Address
Annabelle Theobald

"Like a Band-Aid that doesn't stick"

CISPA Researcher Dr. Ben Stock on the CSP Security Mechanism and the need for empowered users

"The best tools in the world won't help us if those who use them don't understand them," says Dr. Ben Stock. The cybersecurity researcher is convinced that functionality and usability of security tools will have to be brought together more closely in the future. Among other things, he and his team are currently putting the Content Security Policy (CSP) security mechanism to the test. This mechanism is originally intended to prevent sensitive user data from being stolen by exploiting security vulnerabilities in web applications or to prevent applications from being taken over by attackers. However, as the researchers were able to show, CSP can rarely be used effectively so far. This is not solely down to the technical weaknesses of the standard - up until now, users and their needs have been left out of the equation too much.

 One of the most common attacks on the Web, and a good reason to use CSP, is cross-site scripting (XSS). This method, which allows attackers to place malicious script code in users' browsers, for instance, was first described in 1999.  The code is processed by the computer as if it were just ordinary web page content. Cybercriminals can thus steal highly confidential information such as users' passwords and cause great damage. In 2012, the CSP security mechanism was developed to counter such attacks. Its purpose is to prevent attackers from exploiting existing security vulnerabilities. A CSP is designed for developers to specify which script code is their own and should be allowed to run. This helps prevent malicious script code from being executed - but only if the security mechanism is also properly configured."

"However, we assume that about 95 percent of websites do not properly implement CSP in its current form," says CISPA Faculty Ben Stock. For one, there are technical reasons behind this. For example, Stock's team showed in a tracking study that more than two-thirds of the most popular websites contain third-party code that is incompatible with CSP. However, since site operators are dependent on third-party code, for example to display advertising and thus generate profits, the security mechanism is currently of little or no use to them. "A CSP is supposed to prevent the worst, but it's more like a Band-Aid that doesn't stick," says Stock. 

Technical weaknesses are only part of the story, however. For a CSP to be effective, web developers must also understand how to configure it properly and where threats might be lurking. A new qualitative study by Stock's team, in collaboration with CISPA Faculty Katharina Krombholz's research group, aims to shed light on where web developers fail when using a CSP. "The end result could be the realization that we need to rethink the security mechanism from the ground up," Stock says.

Stock believes that better educating developers and users and making them aware of potential threats is an important component of web security. "Too often, users are disenfranchised when it comes to web security." For example, he says, there is often no in-depth explanation as to why a security notice pops up when a page is accessed, or why the browser blocks certain web content. "Finding technical solutions that are also easily understandable - that's the very big challenge," Stock says.

Ben Stock has been at CISPA since 2015, first as a postdoc, then as a research group leader, and since July 2018 as Faculty. The 36-year-old, a native of Mainz, Germany, conducts research on topics including web and network security and usable security.

translated by Tobias Ebelshaeuser