GGrantIndex
← Search

NeTS-ANET: SSL Misuse, Web Bugs, and Open Redirects: Prevalence, Implications, and Defense

$100,050FY2008CSENSF

Indiana University, Bloomington IN

Investigators

Abstract

Very little research exists in understanding the risks to users of powerful web features, as seen from a user-centric point of view. This project seeks to fill this void by creating a framework for this understanding by studying three classes of known (and urgent) threat: misuses of secure socket layer (SSL), web bugs (a technique for spying on the user of web page), and open redirects (a technique for transferring the user to a different web page perhaps without detection). These are costly and urgent current threats; results of preliminary research were presented at the USENIX 2008 Workshop on Offensive Technologies and an article in the Washington Post on July 16, 2008 reported on this paper. The project envisions the three specific problems as representing three major classes of the users' web risks and thus leading to a user-centric security framework. The broad research activities include: 1. Measurement: through a combination of active Web crawling and passive observation, the research is quantifying the nature and extent of the three threats, and in the process developing techniques for accurately identifying their occurrences. 2. User-centric correlation studies: When multiple web sites subscribe to the same web bug hosting company, that (malicious) company can track user behavior across multiple sites. This is one example of a correlation threat. The project also studies the correlated threats to user security and privacy. The broader impacts of the project include: 1. User security and privacy on the Web: The project advances a user-centric view of security and privacy on the Web. This is a current and urgent social need. The research group has already developed several user-side tools that help prevent or at least reveal problem, and it will continue to develop and publish these to the public domain. 2. Open access to data: crawling the Web is very resource intensive and few sources make this data publicly available. The group makes its data available to the research community.

View original record on NSF Award Search →