Enforcement of same origin policy for sensitive data

US 10,289,857 B1
Filed: 10/07/2014
Issued: 05/14/2019
Est. Priority Date: 06/22/2009
Status: Active Grant

First Claim

Patent Images

1. A method to improve the security of online communications comprising:

establishing a secure communication channel with a server, wherein the server is securely authenticated based on a digital certificate;

determining an origin identifier identifying the server of the established secure communication channel, wherein the origin identifier is based on the digital certificate used to securely authenticate the server;

receiving a web page via the secure communication channel;

detecting an element within the web page directed at release of a sensitive data;

determining an authorized origin identifier associated with the sensitive data; and

causing release of the sensitive data only if the origin identifier is the determined authorized origin identifier associated with the sensitive data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus relating to enforcement of same origin policy of sensitive data are described. In an embodiment, a security agent may help ensure release of sensitive data is only triggered by authorized sources. The security agent may help ensure sensitive data is only released to authorized destinations. A security agent may translate or obfuscate sensitive data. Sensitive data may include HTTP cookies, session data, authentication information, authorization information, personal information, user credentials, and/or other data sensitive in nature. Sensitive data destinations and/or sensitive data origins may be identified. Identification may be performed using secure means (such as for example a SSL/TLS handshake). Other embodiments are also disclosed and claimed.

Citations

22 Claims

1. A method to improve the security of online communications comprising:
- establishing a secure communication channel with a server, wherein the server is securely authenticated based on a digital certificate;
  
  determining an origin identifier identifying the server of the established secure communication channel, wherein the origin identifier is based on the digital certificate used to securely authenticate the server;
  
  receiving a web page via the secure communication channel;
  
  detecting an element within the web page directed at release of a sensitive data;
  
  determining an authorized origin identifier associated with the sensitive data; and
  
  causing release of the sensitive data only if the origin identifier is the determined authorized origin identifier associated with the sensitive data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the secure communication channel is one of a Secure Sockets Layer (SSL), Transport Layer Security (TLS), or a certificate capable session.
  - 3. The method of claim 1, further comprising releasing the sensitive data based on the determination of whether the origin identifier is authorized to cause release of the sensitive data.
  - 4. The method of claim 1, wherein the server is securely authenticated using a digital key.
  - 5. The method of claim 1, wherein the server is securely authenticated using an RSA public key.
  - 6. The method of claim 1, wherein the origin identifier is one or more of:
    - a digital key, a public key, the digital certificate, a detail within a digital certificate, a digital certificate derivation.
  - 7. The method of claim 1, wherein the sensitive data is one or more of:
    - an HTTP cookie, session data, session cookie, authorization information, a password, personal user data, or financial data.
  - 8. The method of claim 1, further comprising communicating the sensitive data over the secure communication channel.
  - 9. The method of claim 1, wherein the origin identifier indicates where the sensitive data originated from.

10. An apparatus to improve the security of online communications comprising:
- memory to store one or more instructions; and
  
  a processor, coupled to the memory, to execute the one or more instructions to;
  
  establish a secure communication channel with a server, wherein the server is securely authenticated based on a digital certificate;
  
  determine an origin identifier to identify the server of the established secure communication channel, wherein the origin identifier is based on the digital certificate used to securely authenticate the server;
  
  receive a web page via the secure communication channel;
  
  detect an element within the web page directed at release of a sensitive data;
  
  determine an authorized origin identifier associated with the sensitive data; and
  
  cause release of the sensitive data only if the origin identifier to identify the origin is the determined authorized origin identifier associated with the sensitive data.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The apparatus of claim 10, wherein the secure communication channel is one of a Secure Sockets Layer (SSL), Transport Layer Security (TLS), or a certificate capable session.
  - 12. The apparatus of claim 10, wherein the processor is to cause release of the sensitive data based on the determination of whether the origin identifier is authorized to cause release of the sensitive data.
  - 13. The apparatus of claim 10, wherein the server is to be securely authenticated using a digital key.
  - 14. The apparatus of claim 10, wherein the server is to be securely authenticated using an RSA public key.
  - 15. The apparatus of claim 10, wherein the origin identifier is one or more of:
    - a digital key, a public key, the digital certificate, a detail within a digital certificate, a digital certificate derivation.
  - 16. The apparatus of claim 10, wherein the sensitive data is one or more of:
    - an HTTP cookie, session data, session cookie, authorization information, a password, personal user data, or financial data.

17. A non-transitory computer-readable medium comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations to:
- establish a secure communication channel with a server, wherein the server is securely authenticated based on a digital certificate;
  
  determine an origin identifier to identify the server of the established secure communication channel, wherein the origin identifier is based on the digital certificate used to securely authenticate the server;
  
  receive a web page via the secure communication channel;
  
  detect an element within the web page directed at release of a sensitive data;
  
  determine an authorized origin identifier associated with the sensitive data; and
  
  cause release of the sensitive data only if the origin identifier to identify the origin is the determined authorized origin identifier associated with the sensitive data.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the secure communication channel is one of a Secure Sockets Layer (SSL), Transport Layer Security (TLS), or a certificate capable session.
  - 19. The non-transitory computer-readable medium of claim 17, further comprising one or more instructions that when executed on the processor configure the processor to perform one or more operations to cause release of the sensitive data based on the determination of whether the origin identifier is authorized to cause release of the sensitive data.
  - 20. The non-transitory computer-readable medium of claim 17, further comprising one or more instructions that when executed on the processor configure the processor to perform one or more operations to cause the server to be securely authenticated using a digital key.
  - 21. The non-transitory computer-readable medium of claim 17, further comprising one or more instructions that when executed on the processor configure the processor to perform one or more operations to cause the server to be securely authenticated using an RSA public key.
  - 22. The non-transitory computer-readable medium of claim 17, wherein:
    - the origin identifier is one or more of;
      
      a digital key, a public key, the digital certificate, a detail within a digital certificate, a digital certificate derivation;
      
      orthe sensitive data is one or more of;
      
      an HTTP cookie, session data, session cookie, authorization information, a password, personal user data, or financial data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jeffrey E. Brinskelle
Original Assignee
Jeffrey E. Brinskelle
Inventors
Brinskelle, Jeffrey E.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Kaplan, Benjamin A

Application Number

US14/508,797
Time in Patent Office

1,680 Days
Field of Search

726 2, 726 12, 726 14
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

Enforcement of same origin policy for sensitive data

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcement of same origin policy for sensitive data

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links