[talks] Michael Kranch will present his Master's Thesis Defense on 3/4 at 12:30 in CITP Conference Room

Nicki Gotsis ngotsis at CS.Princeton.EDU
Wed Mar 4 10:26:35 EST 2015

Michael Kranch will present his Master's Thesis Defense on 3/4 at 12:30 in CITP Conference Room.  His advisors are Ed Felten and Jen Rexford.

Title: Upgrading HTTPS Mid-Air: An empirical study of strict transport security and public key pinning

Strict transport security (HSTS) and public-key pinning (HPKP) are two web security features that been added to
the web platform to harden HTTPS, the prevailing standard for secure web browsing. While these technologies are now supported by almost all modern browsers, limited work has been done on these features since their initial  papers. We have conducted the first in-depth empirical study of these two technologies. While HSTS is further along, both features still have limited deployment at a few large websites and a long tail of small security-conscious sites. We find evidence of developers not understanding the correct use of these features, with a substantial portion using them in invalid or illogical ways. We also identify a number of subtle but important errors in practical deployments which often undermine the security these new features are meant to provide. For example, the majority of pinned domains undermine the security benefits by loading non-pinned resources with the ability to hijack the page. A substantial portion of HSTS domains and nearly all pinned domains leaked cookie values, including login cookies, due to the poorly-understood interaction between HTTP cookies and the same-origin policy. Our findings highlight that the web platform, as well as modern web sites, are large and complicated enough to make even conceptually simple security upgrades challenging to deploy in practice.

All are welcome to join.

More information about the talks mailing list