Security Research in 2016: Measurements and Usability

Posted: February 27th, 2017 | Author: | Filed under: privacy, research, security | Tags: , , , , , , , , , , , , , , | No Comments »

My security research in 2016 focused on two broad categories: measurement-, and usability-studies. In this blog post, I briefly discuss the four most important papers we published in these domains in 2016.

Data-driven security and measurement studies

The Transport Layer Security (TLS) protocol is the building block of secure web communication. A number of important Internet applications rely on the TLS  protocol for the protection of exchanged information. One of these important applications is E-Mail, which despite of the growing use of mobile messengers, remains very popular. In a joint project with Wilfried, Aaron, and Martin we analyzed how TLS is used in the global E-Mail ecosystem. Our measurements consist of over 10 billion TLS handshakes against 20 Million global email services. Our findings showed that weak Diffie Hellman parameters are a serious threat for the security of the current E-Mail systems. We also showed that roughly one third of all analyzed E-Mail services supported the insecure plain-authentication method. Our paper got the award for best paper at ARES 2016, for the details on our research: read the paper and/or download our dataset.

number of email hosts that offer auth plain authentication (2016)

In 2016 we furthermore conducted a study on the effectiveness of state-of-the-art blocker tracking tools. Online tracking is a widespread practice for web services in order to tailor online advertisement as well as to identity the online behavior of people. Tracker-blocking tools such as Ghostery or AdBlock Plus are currently the only available solution for people to protect against tracking and malicious advertisement, yet little is known how effective these tools are. We performed the first large-scale measurement study on the effectiveness of tracker-blocking tools on websites as well as mobile apps. The research is part of our PriSAd research project (FH St. Pölten + nimbusec) and joint work with SBA Research (in particular Georg + Damjan), as well as Nick Nikiforakis from Stony Brook University. We will present our findings at the EuroS&P conference in Paris / April 2017. A preprint of our paper is available here.

Usability of Secure Mobile Applications

In addition to measurements on the usage of TLS in E-Mail services we tackled the correct usage of TLS in mobile applications. Android enables application developers to customize how TLS certificates are verified. Per default Android applications trust valid certificates based on its own CA store. Developers can however completely disable certificate validation (which is very bad and renders the security of TLS useless), or in best case pin certificates. Ultimately, users have to trust application developers to use TLS correctly. We outlined a method improve the correct usage of TLS in Android applications for end users, despite potential implementation bugs introduced by app developers. The main idea we proposed consists in intercepting calls to the Android TrustManager and pin TLS certificates on the fly. Damjan presented our method and proof-of-concept implementation at the IFIP Networking conference.

Finally, in 2016 we conducted a usability study on the state-of-the-art secure messenger: Signal. The Signal protocol provides both forward as well as future secrecy. Signal also works if message recipients are offline. In 2016 WhatsApp rolled out encrypted communication based on Signal and the cryptographic protocol is now used by more than a billion users worldwide. Signal makes the use of state-of-the-art cryptography easy, the whole protocol is however broken if an attacker manages to compromise the key-exchange servers of e.g. Signal or WhatsApp. We studied how users perform on countering targeted attacks with Signal’s fingerprint verification feature. We found that 75% of our study participants failed to correctly verify the identity of other Signal users. Read the paper for further details on our study and our suggested usability improvements for the Signal messenger.

example warning dialog from Signal once identity key changes


ACM COSN at Northeastern

Posted: October 9th, 2013 | Author: | Filed under: research, security | Tags: , , , , , , , , , | No Comments »

The last two days I attended the first conference on online social network. I was really amazed by how the well the conference was organized and the interesting crowd of researchers it attracted. Our paper on social networking apps, was among 3-4 papers related to security and privacy issues in online social networks. As of my presentation yesterday, I also made our AppInspect Project website publicly available.
Hope to post some pics from Boston soon, if I find time for some sightseeing.


Social Snapshot Pilot – Completed

Posted: May 30th, 2012 | Author: | Filed under: random, research, security | Tags: , , , , , , | No Comments »

In the past six month 97 people participated in our social snapshot pilot survey. As of now, the pilot application is not available for public testing anymore. We are currently working an updated release of our social snapshot framework, with plenty of new functionality and performance improvements. So stay tuned for the upcoming release of our social network security and forensics framework.

Thank you so very much to everyone who gave our social snapshot framework a try!


Social Snapshots and Gephi

Posted: September 23rd, 2011 | Author: | Filed under: personal, random, research, security | Tags: , , , , , , , , , , | No Comments »

We will present a new tool to extract the complete account information from social networks, like Facebook, at this years’ ACSAC.
More information on the social snapshot project are also available here:  Social Snapshots: Digital Forensics for Online Social Networks
Currently I am looking for ways to visualize extracted data from Facebook. Gephi is a graph visualization tool that looks very promising for creating fancy graphs. Below are two graphs I created with Gephi on my Facebook data (extracted with a social snapshot of my account).

Download Gephi examples on my FB account data (pdf)

The first graph outlines how my Facebook Friends are connected with each other – the bigger the Graph nodes – the more connected is a given friend with other FB friends of mine. The second graph outlines who tags whom the most – on pictures amongst my FB friends.


Dropbox Security: Dark Clouds on the Horizon at USENIX’11

Posted: June 22nd, 2011 | Author: | Filed under: research, security | Tags: , , , , , , , , | No Comments »

Back in March 2010 we started an investigation into online file storage services and Dropbox in particular. Sebastian and Manuel started to disassemble the Dropbox binary and in essence created an alternative client by patching its crypto libraries. In the months that followed we found a number of security flaws with Dropbox. In November 2010 we informed Dropbox about the security holes we found: unauthorized file access as well as a potential misuse of Dropbox for an unlimited online slackspace. It took Dropbox until April 2011 to respond to our findings. In the meantime a number of independent researchers found some of the security shortcomings we described (e.g. Christopher Soghoian’s blog entry).

Thus, we are more than happy to finally present our research at this year’s USENIX Security conference in San Francisco.

In addition to our findings Dropbox had a security glitch this week, whereas authentication without providing a valid password was possible for around 4h. In summary: One should be very careful which information is stored on Dropbox and Dropbox has to overhaul their service’s security.

Preprint of our paper, is available here: dropboxUSENIX2011.pdf

More information: SBA Research