Title: Real or Not? Empirically Evaluating Web Security and Privacy Concerns.

Date: November 15, 2022

Time: 11:00am – 12:00pm EST

Location: Virtual on MS Teams (link), Meeting ID: 236 753 904 259 and Passcode: C85JwW

Dhruv Kuchhal

PhD Student in Computer Science

School of Cybersecurity and Privacy

Georgia Institute of Technology

Committee:

• Dr. Frank Li (Advisor, School of Cybersecurity and Privacy, Georgia Institute of Technology)
• Dr. Paul Pearce (School of Cybersecurity and Privacy, Georgia Institute of Technology)
• Dr. Brendan Saltaformaggio (School of Cybersecurity and Privacy, Georgia Institute of Technology)
• Dr. Alberto Dainotti (School of Computer Science, Georgia Institute of Technology)
• Dr. Adam Oest (PayPal, Inc.)

Abstract:

Security and privacy concerns for the web can manifest in practice due to inadvertent misconfigurations, or intentionally be considered an acceptable risk to promote better usability or compatibility. Our community needs to monitor when these concerns become realistic threats and propose defenses to mitigate them while minimizing the decline in usability. To take a meaningful next step towards improving the state of safety for users on the web, it is imperative to first bridge the gap between theory and practice by corroborating with evidence the extent to which such weaknesses exist on the web today. To that end, this proposal discusses empirical studies to shed light on the state of security and privacy on the web, as well as future directions I intend to explore in my dissertation.

First, I will discuss an assessment of the practical security of FIDO2, a protocol suite for passwordless authentication which has gained significant adoption recently. FIDO2 uses public-key cryptography to replace shared authentication secrets, such as passwords, which can be leaked or phished. It leverages authentication performed locally at user devices (e.g., biometric matching) to support a seamless and secure authentication workflow backed by hardware security guarantees. However, both by design and as demonstrated by prior work, its security depends on key assumptions about the integrity and benign behavior of the client-side protocol components. I will start by discussing realistic attacks and potential defenses possible in theory, when the assumptions about the client-side protocol components do not hold, and follow it up with an empirical evaluation of the susceptibility of real-world FIDO2 deployments. My work highlights the vulnerabilities in real-world passwordless authentication and provides recommendations for improved deployments in the future.

Next, I will discuss the privacy implications of local network communications by popular websites. Webpages are known to request various third-party assets from the Internet, but in theory, they can also request resources from localhost and devices in the LAN, providing a degree of internal network access to external entities. My work empirically explores the extent to which popular websites are interacting with their visitors’ localhost and LAN resources and compares the behavior observed to that from known malware, phishing, or abuse-related websites. The study uncovers a non-trivial number of highly-ranked sites making requests to internal network destinations – with over 40% doing so to conduct host profiling, purportedly for fraud and bot detection. While malicious sites were not found to be utilizing this vector for internal network attacks yet, I will discuss the security implications of such access, as well as potential defenses and ongoing work to close this gap.

Finally, I will talk about my ongoing work in examining if Android apps abuse the sweeping access (provided to them by design) to control a user's in-app web browsing experience (WebViews). I will briefly discuss my progress in exploring static analysis approaches in detecting the modifications made by apps to their WebViews, and my plan to leverage dynamic analysis approaches to identify if different apps treat the same webpage differently. Ultimately, my thesis contributes empirical approaches to bridge the gap between theoretical web security and privacy concerns and their practical manifestations.