Comparative Analysis and Framework Evaluating Mimicry-Resistant and Invisible Web Authentication Schemes

Alaca, Furkan; Abdou, AbdelRahman; Oorschot, Paul C. van

doi:10.1109/tdsc.2019.2908907

Cited by 3 publications

(6 citation statements)

References 52 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is unclear how many of the browser-implemented reinforcements for HTTPS are adopted in DoT, and how the relatively lax security in DoT affects issued certificates. For example, successful authentication [4] and encryption are unnecessary in DoT depending on the client's configured usage profile (see opportunistic mode in RFC 7858 [42]). We present results upon comparing a random sample of DoT and HTTPS certificates collected from Rapid7 [32].…”

mentioning

confidence: 99%

Comparative Analysis of DoT and HTTPS Certificate Ecosystems

Jahromi¹,

Abdou²

2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

Self Cite

View full text Add to dashboard Cite

Systemd-resolved", among others, have implemented DoT stub-resolvers [16]. As a result, DoT queries have increased over the Internet since 2018 [27]. Similar to securing web (HTTPS) and email (S/MIME), DoT in the Internet relies on the Internet's Public Key Infrastructure (PKI) and associated Certification Authorities (CAs) for signing and delivering resolvers' standard X.509 certificates.On security, we investigate whether DoT would be susceptible to classic (or historic) PKI shortcomings, such as invalid/self-signed certificates, weak cryptographic parameters, or fraudulent certificates issued by compromised CAs. Over time, browsers enhanced HTTPS security by stringent certificate validation and indispensable demand of security features, like the placement of certificates in Certificate Transparency (CT) logs [38], [6]; CAs have accordingly been steppingup their issuance standards. It is unclear how many of the browser-implemented reinforcements for HTTPS are adopted in DoT, and how the relatively lax security in DoT affects issued certificates. For example, successful authentication [4] and encryption are unnecessary in DoT depending on the client's configured usage profile (see opportunistic mode in RFC 7858 [42]).We present results upon comparing a random sample of DoT and HTTPS certificates collected from Rapid7 [32]. Particularly, this paper contributes results upon comparing DoT and HTTPS certificates for the following aspects: Distribution and characteristics of certificate issuers (Sec. IV). Certificate parameters, including validity windows and cipher-suites (Sec. V). Proportion and distribution of certificates in CT-logs (Sec. VI).Our results highlight non-major differences between both ecosystems, including differences in: the dominant CA, certificate validity, and cryptographic properties. The proportion of invalid certificates appears almost similar in both ecosystems, likewise the expiry windows and cryptographic functions. We also found almost equivalent rates of CT-log inclusion in both ecosystems. These results suggest that so far, the deployment and usage of DoT certificates in practice appears promising, and not significantly affected by the lack of strict security checks in sub-resolvers.

show abstract

mentioning

confidence: 99%

Comparative Analysis of DoT and HTTPS Certificate Ecosystems

Jahromi¹,

Abdou²

2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

Self Cite

View full text Add to dashboard Cite

show abstract

“…It is unclear how many of the browserimplemented reinforcements for HTTPS are adopted in DoT, and how the relatively lax security in DoT affects issued certificates. For example, successful authentication [3] and encryption are unnecessary in DoT depending on the client's configured usage profile. If a client software is configured to use opportunistic usage profile [49], analogous to opportunistic encryption, the client only enforces security properties when possible.…”

Section: Dot and Https Certificate Ecosystemsmentioning

confidence: 99%

“…In April 2018, Cloudflare implemented hidden DNS-over-Tor (DoTor) resolver. 3 DoTor hides DNS messages with layers of encryption that enhances the privacy of the client against the recursive-resolver and Stage-1 entities (i.e., ISP, ASes) [34]. Thus, ISPs cannot distinguish DNS traffic, nor correlate it to reveal requested domain names.…”

Section: Doh Is Resilient-to-manipulation-in-mentioning

confidence: 99%

Survey And Evaluation of Secure-DNS Alternatives Through Passive Measurements

jahromi¹

View full text Add to dashboard Cite

As security was not among the original DNS design goals, over ten secure-DNS schemes have been proposed to improve security and privacy during the name resolution process.One of the schemes is DNS-over-TLS (DoT), which relies on the Internet's PKI for establishing trust in recursive resolvers. The security research community has studied and improved security shortcomings in the web certificate ecosystem. DoT's certificates, on the other hand, have not been investigated comprehensively. This thesis analyzes the certificate ecosystem of DoT in comparison to HTTPS. The results are so far promising, as they show that DoT appears to have benefited from the PKI security advancements that were designed for HTTPS. The thesis then surveys secure-DNS schemes, and presents an evaluation framework to assess their security, availability, privacy, and anonymity benefits. Our evaluation illustrates that none of the DNS schemes secures the complete path of the domain name resolution. All rated schemes provide only partial security benefits in specific domain name resolution stages. The results shed light on the challenges of designing a comprehensive and widely-deployable secure-DNS scheme to secure the complete name resolution path.However, as some schemes can be combined, their resultant benefits can address individual shortcomings.

show abstract

“…E1 and E2 suggest the advice is intended to be high-level and focused on outcomes, but in E1, also good practice. 7 E3 mentions that the advice should be technical controls and organizational policies. The former (technical controls) suggests a greater level of detail when compared to the DCMS guidelines, but not as specific as to suggest technical specification, which they again defer to more detailed documentation elsewhere (E5).…”

Section: Etsi Baseline Requirements Positioningmentioning

confidence: 99%

“…Mimicry-resistance is a term used to describe something about a user or device (e.g., behavior, data) that is resistant to being impersonated by an attacker [7]. Ray et al [171] use behavioral fingerprinting as mimicry-resistant identities for devices.…”

Section: Challenges Adapting Ioc Authentication Approaches For Iotmentioning

confidence: 99%

On Security Best Practices, Systematic Analysis of Security Advice, and Internet of Things Devices

Bellman¹

View full text Add to dashboard Cite

While Internet of Things (IoT) security best practices have recently attracted considerable attention from industry and governments, academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We begin by investigating a surprising lack of consensus, and void in the literature, on what (generically) best practice means, and provide a technical examination of related terminology. We use iterative inducting coding to design an analysis methodology for categorizing security advice and measuring its actionability. We use this methodology to analyze three datasets: a set of 1013 IoT security best practices, recommendations, and guidelines, and two formally recommended IoT security advice documents. We find all three sets to be largely non-actionable. Through design and use of this methodology, we identify the characteristics of actionable security advice.We also analyze recent work on IoT device identification based on three identification objectives (distinguish device instances, distinguish device classes, and authenticate device identity), and the technical approaches by which they are reached: device fingerprinting, classification, and authentication. We differentiate the role of these objectives and approaches in IoT security, and develop a model relating them. viii ix Ashraf Matrawy (Carleton University), and Dr. Mohammad Zulkernine (Queen's University).Finally, a special thank-you goes to my family and friends for all the support over the past five years-your encouragement is deeply appreciated, and I could not have done this without your support.

show abstract

Comparative Analysis and Framework Evaluating Mimicry-Resistant and Invisible Web Authentication Schemes

Cited by 3 publications

References 52 publications

Comparative Analysis of DoT and HTTPS Certificate Ecosystems

Comparative Analysis of DoT and HTTPS Certificate Ecosystems

Survey And Evaluation of Secure-DNS Alternatives Through Passive Measurements

On Security Best Practices, Systematic Analysis of Security Advice, and Internet of Things Devices

Contact Info

Product

Resources

About