Managing our online account security
The number of online services, accounts, apps, and devices that we use is constantly increasing and so is the complexity of the interconnections between them. These interconnections have been exploited in targeted attacks that range from account takeovers to cryptocurrency theft. Protecting users from such attacks is difficult because each user’s account ecosystem is individual.
In this talk I will introduce account access graphs which are a formal model to represent a user’s account ecosystem, i.e., the collection of accounts, apps, and devices, as well as their interconnections. I will show examples of account access graphs from our user studies and present some of the insights we have gained from them. I will then discuss some of the challenges we must overcome in order to build an account management tool aimed at empowering users to better protect their individual account ecosystem.
This talk is based on joint work published at CCS 2019, CHI 2022 and carried out at ETH Zurich, the University of Dundee and Heriot-Watt University.
Failing Content Security Policy? Learning from its past to improve its future
Content Security Policy has been around for 10 years and still only a fraction of sites on the Web leverage its full potential to mitigate XSS and other flaws. In this talk, we will analyze the evolution of CSP over time and how sites could leverage it to secure against three attacks classes. This is based on our NDSS 2020 paper (https://swag.cispa.saarland/papers/roth2020csp.pdf), which sheds light on the usage of CSP on 10,000 sites over a period of six years. Furthermore, we discuss insights on technical roadblocks of CSP (NDSS 2021, https://swag.cispa.saarland/papers/steffens2021blockparty.pdf), which shows that CSP’s success is in large parts blocked by third parties. Finally, we will discuss our most recent work on (un)usability aspects and fundamental roadblocks for developers (CCS 2021, https://swag.cispa.saarland/papers/roth2021usable.pdf).
Small and Different: Security and Privacy Risks of Mobile Browsers
Recent years have seen a steady increase in the sales of mobile devices as more and more users purchase smartphones and tablets to supplement their computing needs. The smartphones’ cleaner UIs in combination with an ever increasing number of apps and constantly decreasing prices, are attracting more and more users who entrust their devices with sensitive data, such as personal photographs, work emails, and financial information. To browse the web from these devices, users can choose between hundreds of competing mobile browsers, each advertising its own unique set of features.
In this talk, we will discuss the idiosyncrasies of these mobile web browsers and show that they are vulnerable to attacks that were never an issue on traditional desktop browsers. We will first present the results of analyzing over 2,000 versions of mobile browsers, spanning five years and 128 browser families, and show that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. We will then focus on the ability of mobile browsers to enforce standard security mechanisms, such as, the HTTP Strict Transport Security mechanism and Content-Security Policy. We will show that mobile browsers lag behind desktop browsers in their support of these mechanisms, resulting in users being less secure when they browse a given website over a mobile browser, as opposed to a desktop browser. Lastly, we will explore the workings of data-savings mobile browsers and how their unique design can open up users to attacks.