Digitala Vetenskapliga Arkivet

Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
On Certificate Transparency Verification and Unlinkability of Websites Visited by Tor Users
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).ORCID iD: 0000-0003-0840-5072
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Certificate Transparency is an ecosystem of logs, monitors, and auditors that hold certificate authorities accountable while issuing certificates. We show how the amount of trust that TLS clients and domain owners need to place in Certificate Transparency can be reduced, both in the context of existing gradual deployments and the largely unexplored area of Tor. Our contributions include improved third-party monitoring, a gossip protocol plugging into Certificate Transparency over DNS, an incrementally deployable gossip-audit model tailored for Tor Browser, and using certificates with onion addresses. The methods used range from proof sketches to Internet measurements and prototype evaluations. An essential part of our evaluation in Tor is to assess how the protocols used during website visits—such as requesting an inclusion proof from a Certificate Transparency log—affect unlinkability between senders and receivers. We find that most false positives in website fingerprinting attacks can be eliminated for all but the most frequently visited sites. This is because the destination anonymity set can be reduced due to how Internet protocols work: communication is observable and often involves third-party interactions. Some of the used protocols can further be subject to side-channel analysis. For example, we show that remote (timeless) timing attacks against Tor’s DNS cache reliably reveal the timing of past exit traffic. The severity and practicality of our extension to website fingerprinting pose threats to the anonymity provided by Tor. We conclude that access to a so-called website oracle should be an assumed attacker capability when evaluating website fingerprinting defenses.

Abstract [sv]

Projektet Certificate Transparency är ett ekosystem av loggar, övervakare och granskare som håller certifikatutfärdare till svars för utfärdade webbcertifikat. Vi visar hur säkerheten kan höjas i ekosystemet för både domäninnehavare och TLS-klienter i nuvarande system samt som del av anonymitetsnätverket Tor. Bland våra större bidrag är förbättrad övervakning av loggarna, ett skvallerprotokollsom integrerats med DNS, ett skvaller- och granskningsprotokoll som utformats specifikt för Tors webbläsare och ett förslag på hur domännamn med adresser i Tor kan bli mer tillgängliga. De metoder som använts varierar från säkerhetsbevis till internetmätningar och utvärderingar av forskningsprototyper. En viktig del av vår utvärdering i Tor är att avgöra hur protokoll som används av webbläsare påverkar möjligheten att koppla ihop användare med besökta webbplatser. Detta inkluderar existerande protokoll samt nya tillägg för att verifiera om webbplatsers certifikat är transparensloggade. Våra resultat visar att i många fall kan falska positiva utslag filtreras bort vid mönsterigenkänning av Tor-användares krypterade trafik (eng: website fingerprinting). Orsaken är att besök till de flesta webbplatser kan uteslutas till följd av hur internetprotokoll fungerar: kommunikation är observerbar och involverar ofta interaktioner med tredjeparter. Vissa protokoll har dessutom sidokanaler som kan analyseras. Vi visar exempelvis att Tors DNS-cache kan undersökas med olika varianter av tidtagningsattacker. Dessa attacker är enkla att utföra över internet och avslöjar vilka domännamn som slagits upp vid angivna tidpunkter. De förbättrade mönsterigenkänningsattackerna mot webbplatser är realistiska och hotar därför Tors anonymitet. Vår slutsats är att framtida försvar bör utvärderas utifrån att angripare har tillgång till ett så kallat webbplatsorakel.

Place, publisher, year, edition, pages
Karlstad: Karlstads universitet, 2023. , p. 29
Series
Karlstad University Studies, ISSN 1403-8099 ; 2023:15
Keywords [en]
Auditing, Certificate Transparency, DNS, Gossip, Side-Channels, Timing Attacks, Tor, Tor Browser, Website Fingerprinting, Website Oracles
Keywords [sv]
Granskning, Certificate Transparency, DNS, Skvaller, Sidokanaler, Tidtagningsattacker, Tor, Torswebbläsare, Mönsterigenkänning, Webbplatsorakel
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kau:diva-94343ISBN: 978-91-7867-372-8 (print)ISBN: 978-91-7867-373-5 (electronic)OAI: oai:DiVA.org:kau-94343DiVA, id: diva2:1751660
Public defence
2023-06-12, Eva Eriksson, 21A 342, Karlstad University, Karlstad, 10:15 (English)
Opponent
Supervisors
Projects
HITS (4707), SURPRISE (SSF, RIT17-0005)Available from: 2023-05-22 Created: 2023-04-18 Last updated: 2023-05-22Bibliographically approved
List of papers
1. Verifiable Light-Weight Monitoring for Certificate Transparency Logs
Open this publication in new window or tab >>Verifiable Light-Weight Monitoring for Certificate Transparency Logs
2018 (English)In: Secure IT Systems. NordSec 2018: Lecture Notes in Computer Science, vol. 11252 / [ed] N. Gruschka, Springer, 2018, p. 171-183Conference paper, Published paper (Refereed)
Abstract [en]

Trust in publicly verifiable Certificate Transparency (CT) logs is reduced through cryptography, gossip, auditing, and monitoring. The role of a monitor is to observe each and every log entry, looking for suspicious certificates that interest the entity running the monitor. While anyone can run a monitor, it requires continuous operation and copies of the logs to be inspected. This has lead to the emergence of monitoring as-a-service: a trusted third-party runs the monitor and provides registered subjects with selective certificate notifications. We present a CT/bis extension for verifiable light-weight monitoring that enables subjects to verify the correctness of such certificate notifications, making it easier to distribute and reduce the trust which is otherwise placed in these monitors. Our extension supports verifiable monitoring of wild-card domains and piggybacks on CT’s existing gossip-audit security model. 

Place, publisher, year, edition, pages
Springer, 2018
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 11252
Keywords
Certificate Transparency, Monitoring, Security protocols, Network security, Transparency, Continuous operation, Light weight, Publicly verifiable, Security model, Trusted third parties, Wild cards, Patient monitoring
National Category
Computer and Information Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-70591 (URN)10.1007/978-3-030-03638-6_11 (DOI)000509939800011 ()2-s2.0-85057389362 (Scopus ID)9783030036379 (ISBN)
Conference
Secure IT Systems. NordSec 2018, 28 November 2018 through 30 November 2018
Projects
HITS, 4707
Funder
Knowledge Foundation
Available from: 2018-12-20 Created: 2018-12-20 Last updated: 2023-04-18Bibliographically approved
2. Aggregation-Based Certificate Transparency Gossip
Open this publication in new window or tab >>Aggregation-Based Certificate Transparency Gossip
Show others...
2019 (English)In: Proceedings of the The Thirteenth International Conference on Emerging Security Information, Systems and Technologies - SECURWARE 2019, October 27, 2019 to October 31, 2019 - Nice, France / [ed] Stefan Rass; George Yee, International Academy, Research and Industry Association (IARIA), 2019Conference paper, Published paper (Refereed)
Abstract [en]

Certificate Transparency (CT) requires that every certificate which is issued by a certificate authority must be publicly logged. While a CT log can be untrusted in theory, it relies on the assumption that every client observes and cryptographically verifies the same log. As such, some form of gossip mechanism is needed in practice. Despite CT being adopted by several major browser vendors, no gossip mechanism is widely deployed. We suggest an aggregation-based gossip mechanism that passively observes cryptographic material that CT logs emit in plain text, aggregating at packet processors (such as routers and switches) to periodically verify log consistency off-path. In other words, gossip is provided as-a-service by the network. Our proposal can be implemented for a variety of programmable packet processors at line-speed without aggregation distinguishers (throughput), and, based on 20 days of RIPE Atlas measurements that represent clients from 3500 autonomous systems, we show that significant protection against split-viewing CT logs can be achieved with a realistic threat model and an incremental deployment scenario.

Place, publisher, year, edition, pages
International Academy, Research and Industry Association (IARIA), 2019
Keywords
Certificate Transparency, Gossip, P4, XDP
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-77388 (URN)9781713800521 (ISBN)
Conference
The Thirteenth International Conference on Emerging Security Information, Systems and Technologies - SECURWARE 2019, October 27, 2019 to October 31, 2019 - Nice, France
Projects
HITS
Funder
Knowledge Foundation, 4707
Available from: 2020-03-31 Created: 2020-03-31 Last updated: 2023-05-02Bibliographically approved
3. Privacy-Preserving & Incrementally-Deployable Support for Certificate Transparency in Tor
Open this publication in new window or tab >>Privacy-Preserving & Incrementally-Deployable Support for Certificate Transparency in Tor
2021 (English)In: Proceedings on Privacy Enhancing Technologies Symposium / [ed] Aaron Johnson and Florian Kerschbaum, Sciendo , 2021, Vol. 2021, no 2, p. 194-213Conference paper, Published paper (Refereed)
Abstract [en]

The security of the web improved greatly throughout the last couple of years.  A large majority of the web is now served encrypted as part of HTTPS, and web browsers accordingly moved from positive to negative security indicators that warn the user if a connection is insecure.  A secure connection requires that the server presents a valid certificate that binds the domain name in question to a public key.  A certificate used to be valid if signed by a trusted Certificate Authority (CA), but web browsers like Google Chrome and Apple's Safari have additionally started to mandate Certificate Transparency (CT) logging to overcome the weakest-link security of the CA ecosystem.  Tor and the Firefox-based Tor Browser have yet to enforce CT.

In this paper, we present privacy-preserving and incrementally-deployable designs that add support for CT in Tor. Our designs go beyond the currently deployed CT enforcements that are based on blind trust: if a user that uses Tor Browser is man-in-the-middled over HTTPS, we probabilistically detect and disclose cryptographic evidence of CA and/or CT log misbehavior.  The first design increment allows Tor to play a vital role in the overall goal of CT: detect mis-issued certificates and hold CAs accountable.  We achieve this by randomly cross-logging a subset of certificates into other CT logs.  The final increments hold misbehaving CT logs accountable, initially assuming that some logs are benign and then without any such assumption.  Given that the current CT deployment lacks strong mechanisms to verify if log operators play by the rules, exposing misbehavior is important for the web in general and not just Tor.  The full design turns Tor into a system for maintaining a probabilistically-verified view of the CT log ecosystem available from Tor's consensus.  Each increment leading up to it preserves privacy due to and how we use Tor.

Place, publisher, year, edition, pages
Sciendo, 2021
Keywords
Certificate Transparency, Tor
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-94320 (URN)10.2478/popets-2021-0024 (DOI)
Conference
The 21st Privacy Enhancing Technologies Symposium, [Digital], July 12-16, 2021.
Projects
HITS (4707), SURPRISE (SSF, RIT17-0005)
Funder
Swedish Foundation for Strategic Research
Available from: 2023-04-18 Created: 2023-04-18 Last updated: 2023-04-20Bibliographically approved
4. Sauteed Onions: Transparent Associations from Domain Names to Onion Addresses
Open this publication in new window or tab >>Sauteed Onions: Transparent Associations from Domain Names to Onion Addresses
2022 (English)In: WPES'22: Proceedings of the 21st Workshop on Privacy in the Electronic Society, Association for Computing Machinery (ACM), 2022, Vol. November 2022, p. 35-40Conference paper, Published paper (Refereed)
Abstract [en]

Onion addresses offer valuable features such as lookup and routing security, self-authenticated connections, and censorship resistance. Therefore, many websites are also available as onionsites in Tor. The way registered domains and onion addresses are associated is however a weak link. We introduce sauteed onions, transparent associations from domain names to onion addresses. Our approach relies on TLS certificates to establish onion associations. It is much like today's onion location which relies on Certificate Authorities (CAs) due to its HTTPS requirement, but has the added benefit of becoming public for everyone to see in Certificate Transparency (CT) logs. We propose and prototype two uses of sauteed onions: certificate-based onion location and search engines that use CT logs as the underlying database. The achieved goals are consistency of available onion associations, which mitigates attacks where users are partitioned depending on which onion addresses they are given, forward censorship-resistance after a TLS site has been configured once, and improved third-party discovery of onion associations, which requires less trust while easily scaling to all onionsites that opt-in.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2022
Keywords
certificate transparency, onion services, tls certificates, web pki, HTTP, Network security, Search engines, Seebeck effect, Certificate authority, Certificate-based, Domain names, Lookups, Onion service, Routing security, Tls certificate, Weakest links, Transparency
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-92773 (URN)10.1145/3559613.3563208 (DOI)2-s2.0-85143256217 (Scopus ID)978-1-4503-9873-2 (ISBN)
Conference
21st Workshop on Privacy in the Electronic Society, Los Angeles, USA, November 7-11, 2022.
Funder
Swedish Foundation for Strategic Research
Available from: 2022-12-29 Created: 2022-12-29 Last updated: 2023-04-18Bibliographically approved
5. Website fingerprinting with website oracles
Open this publication in new window or tab >>Website fingerprinting with website oracles
2020 (English)In: Proceedings on Privacy Enhancing Technologies, ISSN 2299-0984, Vol. 2020, no 1, p. 235-255Article in journal (Refereed) Published
Abstract [en]

Website Fingerprinting (WF) attacks are a subset of traffic analysis attacks where a local passive attacker attempts to infer which websites a target victim is visiting over an encrypted tunnel, such as the anonymity network Tor. We introduce the security notion of a Website Oracle (WO) that gives a WF attacker the capability to determine whether a particular monitored website was among the websites visited by Tor clients at the time of a victim’s trace. Our simulations show that combining a WO with a WF attack—which we refer to as a WF+WO attack—significantly reduces false positives for about half of all website visits and for the vast majority of websites visited over Tor. The measured false positive rate is on the order one false positive per million classified website trace for websites around Alexa rank 10,000. Less popular monitored websites show orders of magnitude lower false positive rates.

We argue that WOs are inherent to the setting of anonymity networks and should be an assumed capability of attackers when assessing WF attacks and defenses. Sources of WOs are abundant and available to a wide range of realistic attackers, e.g., due to the use of DNS, OCSP, and real-time bidding for online advertisement on the Internet, as well as the abundance of middleboxes and access logs. Access to a WO indicates that the evaluation of WF defenses in the open world should focus on the highest possible recall an attacker can achieve. Our simulations show that augmenting the Deep Fingerprinting WF attack by Sirinam et al. [60] with access to a WO significantly improves the attack against five state-of-the-art WF defenses, rendering some of them largely ineffective in this new WF+WO setting.

Place, publisher, year, edition, pages
De Gruyter Open, 2020
Keywords
Website fingerprinting; website oracles; traffic analysis; security model; design
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-77048 (URN)10.2478/popets-2020-0013 (DOI)
Projects
HITS, 4707 (Rasmus D) KATT OCH PAF5G (Tobias P)
Funder
Knowledge Foundation
Note

KATT OCH PAF5G är projekt finansierade av Internetstiftelsen

Available from: 2020-02-25 Created: 2020-02-25 Last updated: 2023-04-18Bibliographically approved
6. Timeless Timing Attacks and Preload Defenses in Tor's DNS Cache
Open this publication in new window or tab >>Timeless Timing Attacks and Preload Defenses in Tor's DNS Cache
2023 (English)In: Proceedings of the 32nd USENIX Security Symposium, USENIX - The Advanced Computing Systems Association, 2023, Vol. 4, p. 2635-2652Conference paper, Published paper (Refereed)
Abstract [en]

We show that Tor's DNS cache is vulnerable to a timeless timing attack, allowing anyone to determine if a domain is cached or not  without any false positives.  The attack requires sending a single TLS record. It can be repeated to determine when a domain is no longer cached to leak the insertion time.  Our evaluation in the Tor network shows no instances of cached domains being reported as uncached and vice versa after 12M repetitions while only targeting our own domains. This shifts DNS in Tor from an unreliable side-channel---using traditional timing attacks with network jitter---to being perfectly reliable.  We responsibly disclosed the attack and suggested two short-term mitigations.

As a long-term defense for the DNS cache in Tor against all types of (timeless) timing attacks, we propose a redesign where only an allowlist of domains is preloaded to always be cached across circuits.  We compare the performance of a preloaded DNS cache to Tor's current solution towards DNS by measuring aggregated statistics for four months from two exits (after engaging with the Tor Research Safety Board and our university ethical review process). The evaluated preload lists are variants of the following top-lists: Alexa, Cisco Umbrella, and Tranco. Our results show that four-months-old preload lists can be tuned to offer comparable performance under similar resource usage or to significantly improve shared cache-hit ratios (2--3x) with a modest increase in memory usage and resolver load compared to a 100 Mbit/s exit.  We conclude that Tor's current DNS cache is mostly a privacy harm because the majority of cached domains are unlikely to lead to cache hits but remain there to be probed by attackers.

Place, publisher, year, edition, pages
USENIX - The Advanced Computing Systems Association, 2023
Keywords
Tor, DNS, Side-channels, Timing attack, Timeless timing attack, Traffic Analysis, Website Fingerprinting, Website Oracle
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-94325 (URN)2-s2.0-85176112393 (Scopus ID)978-1-939133-37-3 (ISBN)
Conference
32nd USENIX Security Symposium, Anaheim, USA, August 9-11, 2023.
Projects
SURPRISE (SSF, RIT17-0005)
Funder
Swedish Foundation for Strategic ResearchSwedish Foundation for Strategic Research
Available from: 2023-04-18 Created: 2023-04-18 Last updated: 2023-11-28Bibliographically approved

Open Access in DiVA

fulltext_KAPPAN(1669 kB)375 downloads
File information
File name FULLTEXT02.pdfFile size 1669 kBChecksum SHA-512
af3aa77a25e41f5bfd6d92fd2435d10d64369b0147e2b97949149264f166fdebd4ec4db523fbb8931560460a92a99d68f764732fa7fea06bdb96c34306af42c9
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Dahlberg, Rasmus
By organisation
Department of Mathematics and Computer Science (from 2013)
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 375 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 3180 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf