Dimitris Simos @ University of Bergamo

Dimitris Simos is invited to the Faculty of Engineering, University of Bergamo, Italy from May 22 to June 5 as visiting scholar. The host is Prof. Angelo Gargantini.

Congratulations Dr. Martina Lindorfer

Martina finally got her PhD officially awarded in today’s ceremony Sub auspiciis Praesidentis.

Paper accepted at USENIX Security 2017

Our paper ‘“I Have No Idea What I’m Doing” – On the Usability of Deploying HTTPS’ has been accepted for publication at the USENIX Security Symposium 2017, to take place in Vancouver this August. 85 out of 522 submissions (acceptance rate 16%) have been accepted. Kudos to Katharina and Willi!

Abstract: Protecting communication content at scale is a difficult task, and TLS is the protocol most commonly used to do so. However it has been shown that deploying it in a truly secure fashion is challenging for a large fraction of online service operators. While Let’s Encrypt was specifically built and launched to ease the process of TLS deployments, this paper aims to understand the reasons for why it has been so hard to deploy correctly and studies the usability of the TLS deployment process for HTTPS. We performed a series of experiments with 28 knowledgable participants and revealed significant usability challenges that result in weak TLS configurations. Additionally, we conducted expert interviews with 7 experienced security auditors. Our results suggest that the deployment process is far too complex even for people with proficient knowledge in the field, and that server configurations should have stronger security by default. While the results from our expert interviews confirm the ecological validity of the lab study results, they additionally highlight that even educated users prefer solutions that are easy to use. An improved and less vulnerable workflow would be very beneficial to finding stronger configurations in the wild.

Edgar Weippl gives a keynote at RCIS 2017

On May 11, Edgar Weippl talks about research challenges and research methods in applied information security at the Eleventh IEEE International Conference on Research Challenges in Information Science (RCIS 2017) in Brighton, UK.

CTF team We_0wn_Y0u secured 3rd place in academic International Capture the Flag (iCTF) contest

Last weekend, the SBA-supported CTF team “We_0wn_Y0u” (W0Y) of the TU Wien again showcased its outstanding capabilities. In the academic International Capture the Flag (iCTF) contest they secured the third place out of 78 participating universities worldwide in an 8-hour race. W0Y started receiving points late in the game but managed to overtake the field leaving only Moscow State University (1st) and Saarbrücken University (2nd) in front.

As a novelty, this year, the iCTF also included a 24-hour non-academic contest where W0Y scored 4th out of 317 teams. The 24 hours meant three times more fun (by time), but also unique challenges regarding rest times and shift operations.

W0Y has a long-standing tradition in participating iCTF since 2005. They managed to be in the top-10 every time and won the competition twice. They comprise outstanding students and teaching staff of the “Internet Security” and “Advanced Internet Security” course-series taught at TU Wien. The courses are a cooperation of the Institute of Computer Aided Automation and the Institute for Software and Interactive Systems.  The lectures are sometimes called hacking-course since they teach the unique offensive perspective to enable students to understand attackers and develop secure software in the future.

The iCTF is a so-called “attack-defense” competition. Every team has the same copy of a server to defend against other teams and simultaneously to attack the competitors. Each server provides about a couple of services. Attack points are awarded for every service that a team manages to overtake from another team by stealing a “flag”. Flags are files containing a secret unique to that team and service. Defense points are awarded for keeping the own services running and secure (i.e., not losing any flags).

Rest of the team after 24h / Photo: Georg Merzdovnik

The team likes to thank the UC Santa Barbara and Arizona State University for organizing the competition.


SBA Research is hosting an ERCIM Postdoc Fellow

In the context of the ERCIM Research Exchange Programme, SBA Research is hosting between February 23 and March 1, 2017 Dr. Zeeshan Ali Khan.

Zeeshan is an ERCIM Postdoc Fellow with the Department of Telematics of the Norwegian University of Science and Technology (NTNU) working under the supervision of Prof. Peter Herrmann on “Trust based Security Solutions for Resource Constrained IoT Devices”.

Paper accepted @ IEEE EuroS&P 2017

Our paper titled “Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools” has been accepted for publication at IEEE EuroS&P 2017.

The paper is a joint work of SBA Research (G. Merzdovnik, D. Buhov, S. Neuner, M. Schmiedecker, and E. Weippl), FH St. Pölten (M. Huber), and Stony Brook University (N. Nikiforakis).

In total, 38 out of 194 submissions were accepted (acceptance rate: 19.6%). The 2nd IEEE European Symposium on Security and Privacy will be held on April 26-28, 2017 in Paris, France.

Abstract of the paper:
Online third-party tracking has become a widespread practice on the Internet, with serious implications for the privacy of users. While users are often unaware that their online behaviour is being monitored by omnipresent third-party trackers, trackers continuously expand their coverage and the methods by which they ensure the longevity of their tracking identifiers.

In this paper, we quantify the effectiveness of third-party tracker blockers on a large scale. First, we analyze the architecture of various, state-of-the-art blocking solutions and discuss the advantages and disadvantages of each method. Second, we perform a two-part measurement study on the effectiveness of popular tracker-blocking tools. Our analysis quantifies the protection offered against trackers present on more than 100,000 popular websites and 10,000 popular Android applications. We provide novel insights into the ongoing arms race between trackers and developers of blocking tools, and which tools, under what circumstances, achieve the best results. Among others, we discover that rule-based browser extensions outperform learning-based ones, trackers with smaller footprints are more successful at avoiding being blocked, and CDNs pose a major threat towards the future of tracker-blocking tools.