Title: Building Empirically-Driven Solutions for Enhancing Security and Privacy of Popular Internet Services

Qinge Xie

Ph.D. student

School of Cybersecurity and Privacy

Georgia Institute of Technology

Date: Wednesday, May 1st, 2024 

Time: 1:00 pm - 2:00 pm EST 

Location: Coda C0903 Ansley

Zoom:  https://gatech.zoom.us/j/97700528530

Committee: 

Dr. Frank Li (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology 

Dr. Cecilia Testart, School of Cybersecurity and Privacy, Georgia Institute of Technology 

Dr. Alberto Dainotti, School of Computer Science, Georgia Institute of Technology 

Abstract:

Various popular Internet services, ranging from websites to browser extensions to even research-based resources such as domain top lists, offer useful functionalities to a diverse set of Internet users. While these services have become crucial components of the Internet ecosystem, they still exhibit undesirable properties in practice, which may result in users exposing themselves to security and privacy risks, and inhibit their appropriate usage in security and privacy research. This avenue of problems has not gone unnoticed and prior work has proposed solutions for better securing these Internet services. However, in my work, we have identified critical limitations in prior solutions. My work aims to use real-world measurements to empirically inform the design of practical and effective solutions for enhancing security and privacy of such popular Internet services. 

I will first discuss domain top lists, which are critical services widely used by the Internet security and privacy research communities and industries. However, existing top lists exhibit numerous undesirable properties, including a lack of transparency, high volatility, and easy manipulation. Despite these security concerns, they continue to be widely used as there remain no viable alternatives. To build a robust top list solution, we empirically investigated different list design considerations using a real-world passive DNS dataset. We produced a voting-based top list that demonstrates better stability and manipulation resistance than existing ones. As a follow-up work, we also conducted an empirical evaluation of real-world top list use by monitoring the incoming traffic of top domains. Our findings inform the design and deployment of top lists to enhance security and privacy in their use. 

Next, I will discuss browser extensions, widely used to enhance user browser experiences but which exhibit undesirable privacy controls. Prior solutions for detecting privacy risks from extensions have explored certain privacy-invasive behavior but overlooked the user contents of web pages, which often contains the richest user data. Furthermore, some solutions are no longer functional due to significant changes with both the Chromium and extension platform design. Thus, informed by our empirical investigation of modern-day extensions, Chromium, and web standards, we developed a new dynamic browser taint tracking system to monitor sensitive user content across web pages and extensions. We empirically evaluated all functional Chrome extensions and observed privacy risks in over 3K extensions. Our system serves as a tool for the extension vetting process, detecting extensions that pose significant privacy risks before they are deployed to users. 

Finally, I will discuss my ongoing work in building a solution to automatically analyze website privacy policies and effectively detect inconsistencies between the user data collection and third-party data sharing described in policies and the actual behavior of websites. I will briefly discuss my progress in collecting privacy policy data and exploring automated methods for analyzing privacy policies.