This post summarizes how prevalent encrypted web traffic interception is and how it negatively affects online security according to a study we published at NDSS 2017.
Every year, close to 600,000 sites are hacked. Given the scale of the problem, notifying users to prevent harm and webmasters so they can clean up their sites is critical to combat hacking. This post looks at the effectiveness of the current warning strategies used by Google and their long-term impact.
This paper study the blackhat cloaking techniques used by deceptive websites to hide bad content from search engine crawler and security scanners.
This paper study how effective the Google's notifications sent to webmasters of hacked web sites are based of over 760000 hacking incidents from July 2014 and June 2015.
Follow these ten easy steps to improve your online security and privacy quickly.
Research study on how malicious and unwanted actors tamper directly with browser sessions for their own profit. Based of measurement done at Google this study also illuminate the scope and negative impact of ads injection.
This paper we describe how we designed a new CAPTCHA schemes for Google that focus on maximizing usability. Our new scheme which is now an integral part of Google sign-up and is served to millions of users, achieved a 95.3% human accuracy, a 6.7% improvement compared to the old one.
Session Juggler allows to log into any websites on an untrusted terminal on any modern browser by using a simple bookmarklet and a smartphone. The site credentials are never transmited to the untrusted. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal.
TalkBack is a new blog Linkback protocol that use a lightweight PKI and a rate limiting system to fight blog SPAM
WebDroid the first framework specifically dedicated to build secure embedded WebApp. This framework is build on the insights we gleaned from the security analysis of 30 embedded devices web interfaces for which we found over than 50 vulnerabilities.
We show how using a generic approach, based on advanced audio processing and machine learning algorithm, our captcha breaker "Decaptcha" is able to break all the popular audio CAPTCHA schemes, including Microsoft and Yahoo.
We analyze how each of the major browser implements the private browsing mode and show their limitations and describe attacks against them. We also measure on which kind of website people use the private browsing mode.
We show that phone features makes Tap-jacking easier. We explain how to exploit router web interface to steal WiFi network WPA key and location. Finally we demonstrate how to exploit the frame scrolling attack to attack Facebook frame busting defense and leak private information from Yahoo mobile webmail.
We demonstrate how to steal a WiFi network WPA key and location by attacking the router web interface. Then we show how to bypass SSL warning on Internet Explorer and Firefox to perform HTTPS cache injection attacks. Finally we show how to perform various advanced click-jacking attacks on browser and phones (tapjacking).
We perform a mass-scale user study on how people react to the 21 most popular captcha schemes (13 images, 8 audios). This study reveals that even the most popular captchas scheme are often difficult for humans, with audio captchas being particularly problematic.
Black-box web application vulnerability scanners are automated tools that probe web applications for security vulnerabilities. In order to assess the current state of the art, we obtained access to eight leading tools and carried out a study of: (i) the class of vulnerabilities tested by these scanners, (ii) their effectiveness against target vulnerabilities, and (iii) the relevance of the target vulnerabilities to vulnerabi