Olamide Omolola scite author profile

Web developers can (and do) include subresources such as scripts, stylesheets and images in their webpages. Such subresources might be stored on content delivery networks (CDNs). This practice creates security and privacy risks, should a subresource be corrupted. The subresource integrity (SRI) recommendation, released in mid-2016 by the W3C, enables developers to include digests in their webpages in order for web browsers to verify the integrity of subresources before loading them. In this paper, we conduct the rst large-scale longitudinal study of the use of SRI on the Web by analyzing massive crawls (≈3B URLs) of the Web over the last 3.5 years. Our results show that the adoption of SRI is modest (≈3.40%), but grows at an increasing rate and is highly in uenced by the practices of popular library developers (e.g., Bootstrap) and CDN operators (e.g., jsDelivr). We complement our analysis about SRI with a survey of web developers (=227): It shows that a substantial proportion of developers know SRI and understand its basic functioning, but most of them ignore important aspects of the recommendation. The results of the survey also show that the integration of SRI by developers is mostly manual-hence not scalable and error prone. This calls for a better integration of SRI in build tools. CCS CONCEPTS • Security and privacy → Web protocol security; Hash functions and message authentication codes.

show abstract

Revisiting User Privacy for Certificate Transparency

Kales

Omolola

Ramacher

2019

View full text Add to dashboard Cite

Public key infrastructure (PKI) based on certificate authorities is one of the cornerstones of secure communication over the internet. Certificates issued as part of this PKI provide authentication of web servers among others. Yet, the PKI ecosystem is susceptible to certificate misissuance and misuse attacks. To prevent those attacks, Certificate Transparency (CT) facilitates auditing of issued certificates and detecting certificates issued without authorization. Users that want to verify inclusion of certificates on CT log servers contact the CT server directly to retrieve inclusion proofs. This direct contact with the log server creates a privacy problem since the users' browsing activities could be recorded by the log server owner. Lueks and Goldberg (FC 2015) suggested the use of Private Information Retrieval (PIR) in order to protect the users' privacy in the CT ecosystem. With the immense amount of certificates included on CT log servers, their approach runs into performance issues, however. Nevertheless, we build on this approach and extend it using multi-tier Merkle trees, and render it practical using multi-server PIR protocols based on distributed point functions (DPFs). Our approach leads to a scalable design suitable to handle the increasing number of certificates and is, in addition, generic allowing instantiations using secure accumulators and PIRs. We implement and test this mechanism for privacy-preserving membership proof retrieval and show that it can be integrated without disrupting existing CT infrastructure. Most importantly, even for larger CT logs containing 2 31 certificates, our approach using sub-accumulators can provide privacy with a performance overhead of less than 9 milliseconds in total. 3 https://www.section.io/blog/chrome-ct-compliance/ 4 Precertificates are certificates provided to the log before the issuance of the actual certificate. They contain a special critical poison extension that renders the certificate unusable in TLS connections.

show abstract

Revisiting Privacy-aware Blockchain Public Key Infrastructure

Plessing

Omolola

2020

View full text Add to dashboard Cite

Usability of Policy Authoring Tools: A Layered Approach

Weinhardt

Omolola

2019

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Olamide Omolola

Privacy-Preserving eID Derivation for Self-Sovereign Identity Systems

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Revisiting User Privacy for Certificate Transparency

Revisiting Privacy-aware Blockchain Public Key Infrastructure

Usability of Policy Authoring Tools: A Layered Approach

Contact Info

Product

Resources

About