DOCSLIB.ORG

Improving Security and Performance in Low Latency Anonymous Networks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Improving Security and Performance in Low Latency Anonymous Networks Improving Security and Performance in Low Latency Anonymous Networks by Kevin Scott Bauer B.S., University of Denver, 2005 A thesis submitted to the Faculty of the Graduate School of the University of Colorado in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science 2011 This thesis entitled: Improving Security and Performance in Low Latency Anonymous Networks written by Kevin Scott Bauer has been approved for the Department of Computer Science Prof. Dirk Grunwald Prof. Douglas Sicker Prof. Shivakant Mishra Prof. Nikita Borisov Prof. Stefan Savage Date The final copy of this thesis has been examined by the signatories, and we find that both the content and the form meet acceptable presentation standards of scholarly work in the above mentioned discipline. Bauer, Kevin Scott (Ph.D., Computer Science) Improving Security and Performance in Low Latency Anonymous Networks Thesis directed by Co-Chairs Prof. Dirk Grunwald and Prof. Douglas Sicker Conventional wisdom dictates that the level of anonymity offered by low latency anonymity networks increases as the user base grows. However, the most significant obstacle to increased adoption of such systems is that their security and performance properties are perceived to be weak. In an effort to help foster adoption, this dissertation aims to better understand and improve security, anonymity, and performance in low latency anonymous communication systems. To better understand the security and performance properties of a popular low latency anonymity network, we characterize Tor, focusing on its application protocol distribution, geopo- litical client and router distributions, and performance. For instance, we observe that peer-to-peer file sharing protocols use an unfair portion of the network’s scarce bandwidth. To reduce the con- gestion produced by bulk downloaders in networks such as Tor, we design, implement, and analyze an anonymizing network tailored specifically for the BitTorrent peer-to-peer file sharing protocol. We next analyze Tor’s security and anonymity properties and empirically show that Tor is vulner- able to practical end-to-end traffic correlation attacks launched by relatively weak adversaries that inflate their bandwidth claims to attract traffic and thereby compromise key positions on clients’ paths. We also explore the security and performance trade-offs that revolve around path length design decisions and we show that shorter paths offer performance benefits and provide increased resilience to certain attacks. Finally, we discover a source of performance degradation in Tor that results from poor congestion and flow control. To improve Tor’s performance and grow its user base, we offer a fresh approach to congestion and flow control inspired by techniques from IP and ATM networks. Dedication To my parents. Acknowledgements This thesis is the culmination of over five years of work and I wish to thank the many people who have made invaluable contributions both to this thesis and to my professional development as a researcher. First, I thank my academic advisers, Dirk Grunwald and Doug Sicker, without whose encouragement and support this work would not have been possible. Second, I thank my thesis committee, Nikita Borisov, Shiv Mishra, and Stefan Savage, for their invaluable comments and suggestions. I would also like to thank the many research collaborators and co-authors for their con- tributions to this thesis and to my professional development. I am particularly thankful to J. Trent Adams, Mark Allman, Mashael AlSabah, Eric Anderson, Aaron Beach, Markus Breitenbach, Nikita Borisov, Anders Drachen, Ian Goldberg, Harold Gonzales, Ben Greenstein, Greg Grudic, Dirk Grunwald, Asa Hardcastle, Joshua Juen, Yoshi Kohno, Hyunyoung Lee, Janne Lindqvist, Qin (Christine) Lv, Damon McCoy, Sears Merritt, Vern Paxson, Caleb Phillips, Stefan Savage, Micah Sherr, Doug Sicker, Robin Sommer, Parisa Tabriz, Rob Veitch, Geoff Voelker, and Gary Yee. In addition, I am grateful to Nikita Borisov, Roger Dingledine, Paul Syverson, and countless anonymous reviewers for offering helpful and constructive comments and suggestions that improved the quality of various parts of this thesis. I also especially thank Roger Dingledine for his two visits to UCSD in August and December 2010, during which time he offered invaluable expert guidance through Tor’s various layers of congestion control and flow control. I would like to especially acknowledge J. Trent Adams at The Internet Society and Tom Lookabaugh formerly at PolyCipher for their generous financial support that, in part, made this vi research possible. In addition, I thank Stefan Savage, Geoff Voelker, and Damon McCoy for spon- soring my brief stint as research staff at UCSD from August–December 2010, during which time part of this thesis was completed. Lastly, I thank Vern Paxson for sponsoring my research visit to the International Computer Science Institute’s Center for Internet Research (ICSI/ICIR) in Berkeley, CA during summer 2010, where I became fully immersed in the challenges of large-scale Internet measurement and network-based intrusion detection. If I’ve learned anything in graduate school, I learned that research is a social activity. This thesis contains text, figures, tables, data, and ideas drawn from the following jointly authored papers: [49, 54–56, 60–63, 158, 159]. Finally, and most importantly, I thank my family for encouraging me to follow my dreams and for providing the emotional and financial support that enabled me to complete my education. Of course I would be remiss if I neglected to thank my furry friends Snoopy, Bridget, and Murphy (one canine, two felines) for not excessively peeing and pooping on the carpet or otherwise trashing our apartment while I worked many long nights to finish this thesis. Lastly, I thank Catherine, my friend and partner in life, for her love and support that makes everything I do worthwhile. vii Contents Chapter 1 Introduction 1 1.1 Need for Privacy Enhancing Technologies . ........... 2 1.2 Better Performance Leads to Better Anonymity . ............ 3 1.3 ProblemStatement................................ ..... 4 1.4 Fundamental Contributions . ........ 4 1.5 DissertationOutline ............................. ....... 6 2 Background and Related Work 7 2.1 PreliminariesandDefinitions . ......... 8 2.2 AnonymityTechniques. ...... 12 2.2.1 HighLatencyAnonymity . 13 2.2.2 LowLatencyAnonymity. 17 2.3 AnonymitySystems ................................ 22 2.3.1 Crowds ....................................... 23 2.3.2 Tarzan........................................ 24 2.3.3 Tor.......................................... 25 2.3.4 IPpriv........................................ 32 2.3.5 UDP-OR ...................................... 33 2.3.6 Freedom....................................... 34 viii 2.3.7 HerbivoreFS ................................... 34 2.3.8 AnonymousRemailers . 35 2.3.9 P 5 .......................................... 36 2.3.10 Nonesuch ..................................... 37 2.3.11 AP3 ......................................... 37 2.3.12 Cashmere ..................................... 37 2.3.13 Salsa........................................ 38 2.3.14 JavaAnonymousProxy(JAP) . 38 2.3.15 Freenet ...................................... 38 2.3.16 Privacy-preserving File Sharing Protocols . ............ 39 2.4 AnonymityMetrics................................ ..... 39 2.4.1 DegreesofAnonymity . 40 2.4.2 An Information-theoretic Approach . ........ 41 2.4.3 MetricsforLow-latencySystems . ...... 42 2.5 AnonymityAttacks................................ ..... 44 2.5.1 Traffic Analysis with Packet Sizes and Timing . ........ 44 2.5.2 Packet Counting and Timing Analysis Attacks . ......... 44 2.5.3 PredecessorAttack. 46 2.5.4 Disclosure, Intersection, and Statistical DisclosureAttacks. 46 2.5.5 OnionRoutingAttacks . 47 2.6 Summary ......................................... 49 3 Characterizing a Popular Low Latency Anonymous Network 50 3.1 DataCollectionMethodology . ........ 51 3.2 ProtocolDistribution. ........ 53 3.2.1 Interactive vs. Non-interactive Web Traffic . ......... 54 3.2.2 Is Non-interactive Traffic Hurting Performance? . ........... 54 ix 3.2.3 InsecureProtocols ............................. 55 3.3 MaliciousRouterBehavior. ........ 56 3.3.1 DetectionMethodology . 56 3.3.2 Results ....................................... 57 3.3.3 Discussion.................................... 58 3.4 MisbehavingClients .............................. ...... 59 3.5 Geopolitical Client and Router Distributions . .............. 59 3.5.1 Observations .................................. 60 3.5.2 ModelingRouterUtilization. ....... 64 3.6 Circuit-level Performance Measurements . ............ 64 3.6.1 DiurnalPatternsinTrafficLoad . ..... 65 3.6.2 End-to-endLatency ............................... 67 3.6.3 End-to-endThroughput . 69 3.6.4 CircuitDuration ............................... 70 3.6.5 CircuitCapacity ............................... 72 3.6.6 Discussion.................................... 76 3.7 Ethics and Community Standards . ....... 76 3.8 BroaderImpact................................... 78 3.9 Summary ......................................... 79 4 Practical Attacks against Low Latency Anonymous Networks 80 4.1 Background...................................... 83 4.1.1 Tor’s Router Selection Algorithms . ........ 83 4.1.2 Tor’sThreatModel .............................. 85 4.2 CompromisingAnonymity . ...... 85 4.2.1 PhaseOne:SettingUp ............................ 86 4.2.2 PhaseTwo: LinkingCircuits
Load more

Recommended publications
  • Cyber Defense Emagazine – June 2018 Edition Copyright © Cyber Defense Magazine, All Rights Reserved Worldwide
    …130+ Packed Pages This Month… CyberDefenseTV.com continues to grow with more interviews of C level executives in the Cyber HotSeat… BlackHat Trip Report and Great C Level InfoSec Thought Leader interviews… Transforming Cyber Security An End to the Era of Passwords? The Impact of SOAR on Incident Response Steps The Art of Phishing and How To Fight It …and much more… 1 Cyber Defense eMagazine – June 2018 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide CONTENTS BlackHat Conference 2018 Trip Report........................................................................................ 15 Transforming Cyber Security........................................................................................................ 35 Cyber Security Tips for Business Travelers................................................................................... 38 Building blocks to manage the supply chain ............................................................................... 40 Cyber PSYOP: The New Way to Impact Opinons and Politics ..................................................... 42 Let Passwords Go Extinct ............................................................................................................. 45 The Impact of SOAR on Incident Response Steps ........................................................................ 47 2018 is Late but Still the Right Time to Bid Goodbye to Malware Prone SMBv1 ...................... 50 Best Practices for DDoS Mitigation in the Terabit Attack Era ...................................................
    [Show full text]
  • Success Strategies in Emerging Iranian American Women Leaders
    Pepperdine University Pepperdine Digital Commons Theses and Dissertations 2017 Success strategies in emerging Iranian American women leaders Sanam Minoo Follow this and additional works at: https://digitalcommons.pepperdine.edu/etd Recommended Citation Minoo, Sanam, "Success strategies in emerging Iranian American women leaders" (2017). Theses and Dissertations. 856. https://digitalcommons.pepperdine.edu/etd/856 This Dissertation is brought to you for free and open access by Pepperdine Digital Commons. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of Pepperdine Digital Commons. For more information, please contact [email protected], [email protected], [email protected]. Pepperdine University Graduate School of Education and Psychology SUCCESS STRATEGIES IN EMERGING IRANIAN AMERICAN WOMEN LEADERS A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Education in Organizational Leadership by Sanam Minoo July, 2017 Farzin Madjidi, Ed.D. – Dissertation Chairperson This dissertation, written by Sanam Minoo under the guidance of a Faculty Committee and approved by its members, has been submitted to and accepted by the Graduate Faculty in partial fulfillment of the requirements for the degree of DOCTOR OF EDUCATION Doctoral Committee: Farzin Madjidi, Ed.D., Chairperson Lani Simpao Fraizer, Ed.D. Gabriella Miramontes, Ed.D. © Copyright by Sanam Minoo 2017 All Rights Reserved TABLE OF CONTENTS Page LIST OF TABLES ........................................................................................................................
    [Show full text]
  • Understanding Flaws in the Deployment and Implementation of Web Encryption
    Understanding Flaws in the Deployment and Implementation of Web Encryption Suphannee Sivakorn Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2018 © 2018 Suphannee Sivakorn All rights reserved ABSTRACT Understanding Flaws in the Deployment and Implementation of Web Encryption Suphannee Sivakorn In recent years, the web has switched from using the unencrypted HTTP protocol to using encrypted communications. Primarily, this resulted in increasing deployment of TLS to mitigate information leakage over the network. This development has led many web service operators to mistakenly think that migrating from HTTP to HTTPS will magically protect them from information leakage without any additional effort on their end to guar- antee the desired security properties. In reality, despite the fact that there exists enough infrastructure in place and the protocols have been “tested” (by virtue of being in wide, but not ubiquitous, use for many years), deploying HTTPS is a highly challenging task due to the technical complexity of its underlying protocols (i.e., HTTP, TLS) as well as the complexity of the TLS certificate ecosystem and this of popular client applications suchas web browsers. For example, we found that many websites still avoid ubiquitous encryption and force only critical functionality and sensitive data access over encrypted connections while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality tothird parties. Thus, it is crucial for developers to verify the correctness of their deployments and implementations.
    [Show full text]
  • Building Secure and Reliable Systems
    Building Secure & Reliable Systems Best Practices for Designing, Implementing and Maintaining Systems Compliments of Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea & Adam Stubblefi eld Praise for Building Secure and Reliable Systems It is very hard to get practical advice on how to build and operate trustworthy infrastructure at the scale of billions of users. This book is the first to really capture the knowledge of some of the best security and reliability teams in the world, and while very few companies will need to operate at Google’s scale many engineers and operators can benefit from some of the hard-earned lessons on securing wide-flung distributed systems. This book is full of useful insights from cover to cover, and each example and anecdote is heavy with authenticity and the wisdom that comes from experimenting, failing and measuring real outcomes at scale. It is a must for anybody looking to build their systems the correct way from day one. —Alex Stamos, Director of the Stanford Internet Observatory and former CISO of Facebook and Yahoo This book is a rare treat for industry veterans and novices alike: instead of teaching information security as a discipline of its own, the authors offer hard-wrought and richly illustrated advice for building software and operations that actually stood the test of time. In doing so, they make a compelling case for reliability, usability, and security going hand-in-hand as the entirely inseparable underpinnings of good system design. —Michał Zalewski, VP of Security Engineering at Snap, Inc. and author of The Tangled Web and Silence on the Wire This is the “real world” that researchers talk about in their papers.
    [Show full text]
  • An Experience Sampling Study of User Reactions to Browser Warnings in the Field
    An Experience Sampling Study of User Reactions to Browser Warnings in the Field Robert W. Reeder1, Adrienne Porter Felt1, Sunny Consolvo1, Nathan Malkin2, Christopher Thompson2, and Serge Egelman2;3 1Google, Mountain View, CA 2University of California, Berkeley, CA 3International Computer Science Institute, Berkeley, CA {rreeder,felt,sconsolvo}@google.com, {nmalkin,cthompson,egelman}@cs.berkeley.edu ABSTRACT Due to their importance, browser warnings have received a Web browser warnings should help protect people from mal- great deal of attention. Initially, browser warnings gained ware, phishing, and network attacks. Adhering to warnings a reputation for low adherence rates [17, 19, 37, 40, 41]. keeps people safer online. Recent improvements in warning Vendors responded to this research with improvements. In design have raised adherence rates, but they could still be 2013, the Chrome and Firefox teams released data showing higher. And prior work suggests many people still do not that contemporary warnings had relatively high adherence understand them. Thus, two challenges remain: increasing rates—except for the Chrome HTTPS error warning, which both comprehension and adherence rates. To dig deeper into still suffered from low adherence (only 30% of users adhered user decision making and comprehension of warnings, we to the warnings) [2]. After further work, Chrome’s HTTPS performed an experience sampling study of web browser secu- error warning caught up, and now up to 70% of users adhere rity warnings, which involved surveying over 6,000 Chrome to the warnings [21, 22, 44]. Despite these improvements, and Firefox users in situ to gather reasons for adhering or not HTTPS warning adherence rates can still be improved.
    [Show full text]
  • (2010-2013). He Is a Creator of the Spread Toolkit ( the First Scalable Group Communication System with Strong Semantics
    Forum on Cyber Resilience Member Biographies as of 2019-04 Fred B. Schneider (NAE), is Samuel B. Eckert Professor of Computer Science at Cornell University. He joined Cornell's faculty in Fall 1978, having completed a Ph.D. at Stony Brook University and a B.S. in engineering at Cornell in 1975. Schneider's research has always concerned various aspects of trustworthy systems —systems that will perform as expected, despite failures and attacks. Most recently, his interests have focused on system security. His work characterizing what policies can be enforced with various classes of defenses is widely cited, and it is seen as advancing the nascent science base for security. He is also engaged in research concerning legal and economic measures for improving system trustworthiness. Schneider was elected a fellow of the American Association for the Advancement of Science (1992), the Association of Computing Machinery (1995), and the Institute of Electrical and Electronics Engineers (2008). He was named Professor-at-Large at the University of Tromso (Norway) in 1996 and was awarded a Doctor of Science honoris causa by the University of Newcastle-upon-Tyne in 2003 for his work in computer dependability and security. He received the 2012 IEEE Emanuel R. Piore Award for "contributions to trustworthy computing through novel approaches to security, fault-tolerance and formal methods for concurrent and distributed systems". The U.S. National Academy of Engineering elected Schneider to membership in 2011, the Norges Tekniske Vitenskapsakademi (Norwegian Academy of Technological Sciences) named him a foreign member in 2010, and the American Academy of Arts and Sciences elected him in 2017.
    [Show full text]
  • Women Know Cyber
    WOMEN KNOW CYBER 100 Fascinating Females Fighting Cybercrime STEVE MORGAN & DI FREEZE WOMEN KNOW CYBER: 100 Fascinating Females Fighting Cybercrime Copyright © 2019 by Cybersecurity Ventures ISBN 978-1-7330157-0-7 All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at the address below. Cybersecurity Ventures 83 Main Street, 2nd Floor, Suite 5 Northport, N.Y. 11768 This book is dedicated to my six children. Without you, my first book would have been completed thirty years ago. I thank God for showing me what’s most important in life. – Steve Morgan Cybersecurity Conference Sponsor FutureCon produces cutting-edge events aimed at CISOs, IT security professionals, and cybersecurity companies – bringing together the best minds in the industry for a unique experi- ence. These one-day events in more than 20 cities throughout North America feature thought- provoking presentations by industry leaders, esteemed keynote speakers, and a panel session with cybersecurity experts. Each FutureCon event provides attendees with the very latest and highest level vendor-neutral training in the security community. FutureCon's founder, Kim Hakim, is a U.S. Navy veteran with more than two decades of experience producing thousands of cybersecurity conferences. "Women Know Cyber" book signings and special programs will be held at FutureCon events.
    [Show full text]
  • Enhancing Cybersecurity: the Role of Innovation Ecosystems
    SEMINAR SUMMARY APRIL 2019 ENHANCING CYBERSECURITY: THE ROLE OF INNOVATION ECOSYSTEMS EXECUTIVE SUMMARY This document summarizes the conversations from the seminar “Enhancing Cybersecurity – The Role of Innovation Ecosystems” that took place on February 13th 2019 at the Massachusetts Institute of Technology in Cambridge, Massachusetts. The goal of the Seminar was to advance participants’ knowledge of innovation ecosystems for innovation in cybersecurity. Its approach was to emphasize the growing agglomeration of innovation-driven enterprises creating innovative solutions, and the tightly-coupled inter- dependencies in these hubs of entrepreneurs, governments, risk-capital, universities and large corporations. The Seminar was organized by the MIT Innovation Initiative (MITii), the Federmann Cyber Security Center at the Hebrew University of Jerusalem (HCSRC), Israel’s National Cyber Directorate (INCD), the UK Department for Digital, Culture, Media & Sport (DCMS), and the UK Science & Innovation Network. Forty participants representing all of the ecosystem stakeholders (governments, universities, corporations, entrepreneurs, and risk capital) were invited to participate (see Appendix B). The Main Insights: • Cybersecurity is an area of technological, corporate and regulatory innovation that emphasizes the growing agglomeration of innovation-driven enterprises and inter- dependencies between entrepreneurs, governments, risk-capital, universities and large corporations. Innovation ecosystems thus provide an important lens to understand the specific case of innovation in cybersecurity, and to enhance our understanding of innovation ecosystems in general. • This insight is key for practitioners and promoters of innovation in cybersecurity, as the lessons from wider ‘innovation ecosystems’ become more and more relevant to their efforts. As such, the multi-stakeholder ecosystem approach (broadly defined) can help enhance and accelerate innovation in cybersecurity, as it has elsewhere.
    [Show full text]
  • Winter 2017 Vol
    ;login WINTER 2017 VOL. 42, NO. 4 : & Neural Nets Improve Password Choices William Melicher, Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor & DNSSEC: Useless as Used Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson & Fixing the Bitcoin Blockchain Shehar Bano, Mustafa Al-Bassam, and George Danezis & Psychological Safety in SRE Teams John P. Looney & Interview with Peter G. Neumann Columns Exiting Gracefully in Python David Beazley Perl without Perl David N. Blank-Edelman tcpdump as a Monitoring Tool Dave Josephsen Using Vault in Go Chris “Mac” McEniry Collecting Big Data Dan Geer UPCOMING EVENTS Enigma 2018 USENIX Security ’18: 27th USENIX Security January 16–18, 2018, Santa Clara, CA, USA Symposium www.usenix.org/enigma2018 August 15–17, 2018, Baltimore, MD, USA Submissions due February 8, 2018 FAST ’18: 16th USENIX Conference on File and Storage www.usenix.org/sec18 Technologies Co-located with USENIX Security ’18 February 12–15, 2018, Oakland, CA, USA SOUPS 2018: Fourteenth Symposium on Usable Privacy www.usenix.org/fast18 and Security August 12–14, 2018 SREcon18 Americas Abstract submissions due February 12, 2018 March 27–29, 2018, Santa Clara, CA, USA www.usenix.org/soups2018 www.usenix.org/srecon18americas WOOT ’18: 12th USENIX Workshop on Offensive NSDI ’18: 15th USENIX Symposium on Networked Technologies Systems Design and Implementation August 13–14, 2018 www.usenix.org/woot18 April 9–11, 2018, Renton,
    [Show full text]
  • The Computer Fraud and Abuse Act: Protecting the United States from Cyber-Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work, 5 U
    University of Miami Law School Institutional Repository University of Miami National Security & Armed Conflict Law Review 7-1-2015 The omputC er Fraud and Abuse Act: Protecting the United States from Cyber-Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work Kristin Westerhorstmann Follow this and additional works at: http://repository.law.miami.edu/umnsac Part of the Military, War and Peace Commons, and the National Security Commons Recommended Citation Kristin Westerhorstmann, The Computer Fraud and Abuse Act: Protecting the United States from Cyber-Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work, 5 U. Miami Nat’l Security & Armed Conflict L. Rev. 145 (2015) Available at: http://repository.law.miami.edu/umnsac/vol5/iss2/9 This Note is brought to you for free and open access by Institutional Repository. It has been accepted for inclusion in University of Miami National Security & Armed Conflict Law Review by an authorized administrator of Institutional Repository. For more information, please contact [email protected]. The Computer Fraud and Abuse Act: Protecting the United States from Cyber- Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work Kristin Westerhorstmann* ABSTRACT Each year, the frequency andseverityof cyber-attacks continue to increase. With each new threat comes more pressure on the government to implement an effectiveplanforpreventing these attacks. The first instinct has been to attempt either to enact more laws,orto broaden thescope of already-existing laws such as the Computer Fraud and Abuse Act (CFAA). The CFAA, the federal hacking statute, has been called the worst law in technology for itsexcessively broad scope and vague provisions, whichhaveresulted in arbitrary and discriminatory enforcement, conflicts with the federal private nondelegation doctrine, and in overcriminalization.
    [Show full text]
  • Measuring HTTPS Adoption on The
    Measuring HTTPS Adoption on the Web Adrienne Porter Felt, Google; Richard Barnes, Cisco; April King, Mozilla; Chris Palmer, Chris Bentzel, and Parisa Tabriz, Google https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/felt This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9 Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX Measuring HTTPS Adoption on the Web Adrienne Porter Felt1, Richard Barnes2, April King3, Chris Palmer1, Chris Bentzel1, Parisa Tabriz1 1Google, 2Cisco, 3Mozilla 1felt, palmer, cbentzel, [email protected], [email protected], [email protected] Abstract [1, 24, 32, 3]). They plan to make further changes as HTTPS becomes the default standard [30, 3]. How HTTPS ensures that the Web has a base level of pri- close is the Web to considering HTTPS a default? vacy and integrity. Security engineers, researchers, and browser vendors have long worked to spread HTTPS to as much of the Web as possible via outreach efforts, de- In this paper, we measure HTTPS adoption rates from veloper tools, and browser changes. How much progress the perspectives of both clients and servers. A key chal- have we made toward this goal of widespread HTTPS lenge is that there are many ways to measure client us- adoption? We gather metrics to benchmark the status age and server support of HTTPS, each yielding differ- and progress of HTTPS adoption on the Web in 2017. ent findings on the prevalence of HTTPS. For example, To evaluate HTTPS adoption from a user perspective, HTTPS is a much higher fraction of browser page loads we collect large-scale, aggregate user metrics from two if the metrics count certain types of in-page navigations.
    [Show full text]
  • Towards More Effective Censorship Resistance Systems
    Towards more Effective Censorship Resistance Systems by Mohammad Tariq Elahi A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science Waterloo, Ontario, Canada, 2015 © Mohammad Tariq Elahi 2015 Some rights reserved. BY NC SA This thesis consists of material all of which I authored or co-authored: see Statement of Contributions included in the thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii Statement of Contributions The content in Chapter 2 was co-authored with Colleen Swanson, who provided the dis- cussion of the global adversary and the failed limited sphere of influence assumption. John Doucette provided the framework and preliminary analysis of the simple censor cases, Steven Murdoch provided the real world problem motivation and the simulator and its de- scription, and Hadi Hosseini provided a portion of the related work discussion in Chapter 3. George Danezis provided a sketch and core code for the two PrivEx variants in Chapter 4. Kevin Bauer provided the Tor simulation patch and scripts while Mashael AlSabah pro- vided the related work discussion in Chapter 5. The rest of this thesis contains original content and was authored under the supervision of Ian Goldberg. iii Abstract Internet censorship resistance systems (CRSs) have so far been designed in an ad-hoc manner. The fundamentals are unclear and the foundations are shaky. Censors are, more and more, able to take advantage of this situation.
    [Show full text]