% % Hi, welcome, , . % % % The outline is that I will start by introducing the problem area which spans % Certificate Transparency, Tor, and the combination thereof. Following this, % I will define my research questions and explain my contributions in broad % strokes as a thesis overview. Then I will go some further detail regarding % each contribution. I will wrap up with conclusions and future work as a take % away. % \begin{frame} \mktitle{Outline} \begin{columns} \begin{column}{0.65\textwidth} \centering\includegraphics[width=.8\columnwidth]{img/introduction/outline} \end{column} \begin{column}{0.35\textwidth} \begin{enumerate} \item Introduction \item Thesis overview \item Contributions \item Take away \end{enumerate} \end{column} \end{columns} \end{frame} %%% % Introduction to my research area %%% \subtitle{Introduction} % % Short answer: you're all browsing the web. Are you visiting the real % authentic website? Certificates; much like a passport in the real world. % Trusted party, police; but web = tie a domain name to public key. % % The first problem that my thesis plugs into: how do we detect certificate % mis-issuance. I.e., what if one of these trusted parties issue a valid % certificate to the attacker, either out of malice or due to a mistake? % How would we detect that? What assumptions do we rely on to detect that? % We look at this problem both in the context of regular browsing, but also % in the context of Tor Browser. % % What is TB? FF fork, among other things route traffic through Tor. % Guard, middle, relay. No relay sees both user IP and destination, gives % anonymity. % % Second problem that my thesis plugs into: how is anonymity affected by % the steps TB takes to load a website securely? % \begin{frame} \mktitle{How is all of this related to you?} \begin{columns} \begin{column}{0.5\textwidth} \centering\includegraphics[width=\columnwidth]{img/introduction/chromium}\\ Web browsing \end{column} \begin{column}{0.5\textwidth} \centering\includegraphics[width=\columnwidth]{img/introduction/tb}\\ Possibly with Tor Browser \end{column} \end{columns} \end{frame} % % Okay, so I mentioned certs, cert issuance, and cert mis-issuance several % times now. How does that actually work? % % CSR, log a preliminary version of the certificate in a public CT log. If CT % is new to you, think of this as a public append-only list of certificates. % Fantastic because...monitor. % % To complete issuance of a certificate, the certificate authority waits for % a signed promise that the preceritifcate will be appended within 24h. This % is hardcoded into the final certificate which is served by browsers. % % Browser that support CT like Chrome, reject cert unless two promises. % % This is certificate transparency as deployed at a glance. % % Now if you take the time to think about this setup, you will likely ask % questions like how could you verify that these promises are honored? And % even if you do, how would do you know that you see the same logs as everyone % else? If I'm a log operator, I could... % \begin{frame} \mktitle{Some preliminaries, Certificate Transparency what?} \begin{columns} \begin{column}{0.485\textwidth} \centering\includegraphics[width=\columnwidth]{img/introduction/ct-issuance}\\\vspace{0.33cm} \textbf{Certificate issuance} \end{column} \dashedline \begin{column}{0.485\textwidth} \centering\includegraphics[width=.7\columnwidth]{img/introduction/ct-policy}\\\vspace{0.9cm} \textbf{Browser behavior} \end{column} \end{columns} \pause\vfill\alert{Why should we take log promises at face value?} \end{frame} %%% % Overview of research questions and contributions %%% \subtitle{Research questions and overview} \begin{frame} \mktitle{Research questions} \begin{enumerate} \item Can trust requirements in Certificate Transparency be reduced in practise? \pause\item How can authentication of websites be improved in the context of Tor Browser? \pause\item How do the protocols used during website visits affect unlinkability between Tor users and their destination websites? \end{enumerate} \pause\hfill\includegraphics[width=0.6\textwidth]{img/overview/wf}\\\vspace{.123cm} %\pause\hfill\alert{plus active measures within Tor's threat model} \end{frame} %%% % Contributions in more detail %%% \subtitle{Contributions} % % 6 papers, published in... Together they make 6 collective contributions. % 1. ...; here we're addressing an additional trust dependency that often arises % in practise as websites monitor the logs. We more or less eliminate a trusted % party. % 2. ...; i will define this problem in more detail soon, but it's basically % about if I as a log operator provide *YOU* with one append-only list of % certificates and everyone else a different list of append-only certificate, % how would we detect that I'm misbehaving and telling you different things? % We propose "gossip mechanisms" that address this problem. % 3. ...; the short summary is that we show how to gradually add certificate % transparency in Tor Browser. The full design does not place any trust in CT % logs that isn't verified. We also explore how onion services - those sites % that are only available through the Tor network - can benefit from CT: % 4. ...; here we introduce the security abstraction of a website oracle. If % you're familiar with cryptography it's much like an enc/dec oracle, except % that it is tailor for evaluation of website fingerprinting attacks. It % helps us model how the protocols used during website visits can make WF % attacks more reliable by significantly reducing false positives. We discuss % many ways to gain access to our security abstraction in the real world, such % as volunteering to operate a certificate transparency log, but also focus on % lower-cost attacks. This brings me to the next contribution. % 5. ...; the gist is that I can, on my laptop from my spotty wifi, implement a % real-world website oracle with high accuracy using side-channels in DNS. As % this is a serious threat to the anonymity provided by Tor, we also proposed % a defense that would eliminate the entire side-channel if deployed. % % \begin{frame} \mktitle{Contributions} \begin{tikzpicture}[remember picture,overlay] \node[anchor=north east, xshift=2pt] (n1) at (current page.north east) {\textbf{RQ3:} ``exploit protocols for deanonymization''}; \node[left=0pt of n1] (n2) {\textbf{RQ2:} ``CT+Tor''}; \node[left=0pt of n2] (n3) {\textbf{RQ1:} ``less trust reqs in CT''}; \end{tikzpicture} \begin{columns} \begin{column}{.56\textwidth} \begin{enumerate} \item<2-> Reduced trust in third-party monitoring %with a signed tree head extension that shifts trust from %non-cryptographic certificate notifications to a log's gossip-audit %model (or if such a model does not exist yet, the logs themselves). \item<3-> Increased probability of split-view detection %by proposing gossip protocols that disseminate signed tree heads %without bidirectional communication. \item<4-> Improved detectability of website hijacks targeting Tor Browser %by proposing privacy-preserving and gradual roll-outs of Certificate %Transparency in Tor. \item<5-> An extension of the attacker model for website fingerprinting %that provides attackers with the capability of querying a website %oracle. \item<6-> Remotely-exploitable probing-attacks on Tor's DNS cache %instantiate a real-world website oracle without any special attacker %capabilities or reach. \item<7-> A redesign of Tor's DNS cache to defend against all (timeless) timing attacks %while retaining or improving performance compared to today. \end{enumerate} \end{column} \begin{column}{.5\textwidth} % Mention two two blog posts % Mention two papers with merged Tor code (bug fixes / mitigations) \centering\includegraphics[width=\columnwidth]{img/overview/thesis}\\\vspace{.33cm} \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{C1: Reduced trust in third-party monitoring} \begin{columns} \begin{column}{0.5\textwidth} \centering\includegraphics[width=\columnwidth]{img/contribs/lwm-problem}\\\vspace{0.33cm} \textbf{Problem} \end{column} \pause\dashedline \begin{column}{0.35\textwidth} \centering\includegraphics[width=.95\columnwidth]{img/contribs/lwm-solution}\\\vspace{0.33cm} \textbf{Solution} \end{column} \end{columns} % % Merkle town: ~250.000 new certs/hour (May 2023), assume all of them in every % log and a tree head frequency of one hours as specified in the paper. There % are 17 logs to monitor (May, 2023). We need two audit paths per log. % % >>> 2 * log(250000, 2) * 32 * 17 / (1024) % 19.052291604906934 % % So, the overhead per LWM subject is roughly 19KiB per day. The 10Mbps for % self-monitoring is based on real bandwidth monitoring (from sauteed onions). % % (Times num logs.) % \pause\vfill\alert{Secure in multi-instance setting, small performance overhead} \end{frame} % % The split-view problem can be defined as follows... % We propose two approaches towards the split-view problem in the thesis. % % The first one plugs into CT-over-DNS; at the time of writing paper -> was % being deployed by Chrome. The idea is to interact with the logs to verify % that a certificate is included by fetching proofs through your DNS resolver. % This effectively makes DNS into a proxy for communicating with the logs, % which is not an additional privacy leak because you have already revealed % to your DNS resolver which website your visiting when looking up a domain % name. Our observation is that if plaintext DNS traffic is used to interact % with the logs, then intermediate routers and switches on the internet are % in a position to verify if the users that share the same vantage points see % the same append-only logs, notably without the users having to do any of % the split-view detection because its provided as a service by the network. % Exactly about how we implemented and evaluated this is available in the % thesis. % % The second one \begin{frame} \mktitle{C2: Increased probability of split-view detection} \begin{columns} \begin{column}{0.323\textwidth} \vspace{1.112cm} \centering\includegraphics[width=\columnwidth]{img/contribs/split-view}\\ \vspace{1.112cm} \textbf{Problem} \end{column} \pause\dashedline \begin{column}{0.323\textwidth} \vspace{1.112cm} \centering\includegraphics[width=\columnwidth]{img/contribs/ctga-intuition}\\ \vspace{1.112cm} \textbf{Solution (1/2)} \end{column} %\pause\dashedline %\begin{column}{0.323\textwidth} % \centering\includegraphics[width=\columnwidth]{img/contribs/ctga-gossip}\\ % \textbf{Solution} %\end{column} \pause\dashedline \begin{column}{0.323\textwidth} \centering\includegraphics[width=\columnwidth]{img/contribs/ctor-gossip}\\ \textbf{Solution (2/2)} \end{column} \end{columns} %\pause\vfill\alert{Aggregation indistinguishability, incremental roll-out measurements} \end{frame} %\begin{frame} % \mktitle{C2: Increased probability of split-view detection} % % \begin{columns} % \begin{column}{0.323\textwidth} % \vspace{1.15cm} % \centering\includegraphics[width=\columnwidth]{img/contribs/split-view}\\ % \vspace{1.15cm} % \textbf{Problem} % \end{column} % % \dashedline % \begin{column}{0.323\textwidth} % \vspace{1.15cm} % \centering\includegraphics[width=\columnwidth]{img/contribs/ctor-setting}\\ % \vspace{1.15cm} % \textbf{Setting} % \end{column} % % \pause\dashedline % \begin{column}{0.323\textwidth} % \centering\includegraphics[width=\columnwidth]{img/contribs/ctor-gossip}\\ % \textbf{Solution} % \end{column} % \end{columns} % %\end{frame} \begin{frame} \mktitle{C3: Improved detectability of website hijacks targeting Tor Browser} \begin{columns} \begin{column}{.485\textwidth} \centering\includegraphics[width=.8\columnwidth]{img/contribs/ctor-full}\\\vspace{.33cm} \textbf{Solution (continued)} \end{column} \pause\dashedline \begin{column}{.485\textwidth} Attacker capabilities \begin{itemize} \item Vanilla Tor Browser threat model \item Plus zero-day on Tor Browser \item Plus operates enough logs \end{itemize} \pause\vspace{.33cm} Security \begin{itemize} \item Break any of the four phases \item ``Break'' must go unnoticed \end{itemize} \end{column} \end{columns} \pause\vfill\alert{Gradual roll out, also use-cases relating to onion services} %\pause\vfill\alert{Small performance overhead, incremental roll-out plan} \end{frame} %\begin{frame} % \mktitle{Onion address discovery benefits from transparency as well (C3)} % % \begin{tikzpicture}[remember picture,overlay] % \node[anchor=north] (n1) at (current page.north) {\tiny{\texttt{cyigahm4clwlimo6mfl4yjie5fwfbhlbuag57xo3kimk6invht6ffrad.onion}}}; % \end{tikzpicture} % % \pause % \begin{columns} % \begin{column}{0.67\textwidth} % \begin{itemize} % \item What is the onion address of example.com? % \pause\item What onion addresses are discovered for my site? % \pause\item Sounds familiar? % \end{itemize} % \end{column} % % \pause\dashedline % \begin{column}{0.33\textwidth} % \centering % \includegraphics[width=.5\columnwidth]{img/contribs/sauteed-cert}\\ % \textbf{Extend certificate} % \end{column} % \end{columns} % % \pause\vfill\alert{One view of domain names to onion addresses, forward censorship resistance} %\end{frame} % % Kom ihåg att nämna website oracle "as a security abstraction", referens för andra % \begin{frame} \mktitle{C4: An extension of the attacker model for website fingerprinting} \begin{columns} \begin{column}{0.59\textwidth} \centering\includegraphics[width=\columnwidth]{img/contribs/wfwo-setting}\\ \end{column} \pause\dashedline \begin{column}{.49\textwidth} \begin{itemize} \item Smaller destination anonymity set \pause\item Eliminates most false positives for Alexa top-10k and beyond \pause\item Gaining access to a website oracle? \end{itemize} \end{column} \end{columns} \pause\vfill\alert{Certificate Transaprency logs, Certificate Authorities, ...} \end{frame} \begin{frame} \mktitle{C5: Remotely-exploitable probing-attacks on Tor's DNS cache} \begin{columns} \begin{column}{0.49\textwidth} \centering\includegraphics[width=\columnwidth]{img/contribs/dns-timing}\\\vspace{.33cm} \textbf{Timing attack} \end{column} \pause\dashedline \begin{column}{0.49\textwidth} \vspace{.5cm} \centering\includegraphics[width=\columnwidth]{img/contribs/tlwo-uncached}\\\vspace{.83cm} \textbf{Timeless timing attack} \end{column} \end{columns} % % Timing, 17.3\% TPR % - Google DNS? 16.8\%\\ % - Cloudflare DNS? 7.4\%\\ % % Timeless % Type & Got uncached & Got cached & Failures \\ % Uncached & $6,034,779$ & $0$ & $2,858$ \\ % Cached & $0$ & $6,034,594$ & $142$ \\ % \pause\vfill\alert{12M repetitions in the live Tor network, fully reliable attack prototype} \end{frame} \begin{frame} \mktitle{C6: A redesign of Tor's DNS cache to\\defend against all (timeless) timing attacks} \begin{columns} \begin{column}{0.49\textwidth} \centering\includegraphics[width=\columnwidth]{img/contribs/tlwo-preload}\\\vspace{.33cm} \textbf{Preloaded DNS cache} \end{column} \pause\dashedline \begin{column}{0.44\textwidth} \centering\includegraphics[width=\columnwidth]{img/contribs/tlwo-heatmap-web} \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{Summary of research methods} \begin{columns} \begin{column}{0.25\textwidth} \centering\includegraphics[width=\columnwidth]{img/take-away/methods-proofs}\\ Threat modelling, proof sketching \end{column} \begin{column}{0.25\textwidth} \centering\includegraphics[width=\columnwidth]{img/take-away/methods-measurements}\\ Real-world measurements \end{column} \begin{column}{0.25\textwidth} \centering\includegraphics[width=\columnwidth]{img/take-away/methods-simulation}\\ Network simulation\\ \, \end{column} \begin{column}{0.25\textwidth} \centering\includegraphics[width=\columnwidth]{img/take-away/methods-prototyping}\\ Prototyping and evaluation \end{column} \end{columns} \end{frame} \subtitle{Take away} \begin{frame} \vfill \begin{columns} \begin{column}{.75\textwidth} \mktitle{Take away} \vspace{.33cm} \begin{itemize} \item Trust requirements can be reduced wrt.\ monitors and logs \item Certificate Transparency can work in Tor Browser's setting \item The website fingerprinting threat model could be stronger \item ``On...'' \end{itemize} \end{column} \begin{column}{.35\textwidth} \centering\includegraphics[width=\columnwidth]{img/take-away/take-away} \end{column} \end{columns} \end{frame} %%% % Thanks %%% \subtitle{Collaborators and funders} \begin{frame} \vfill \centering\includegraphics[width=.7\textwidth]{img/thanks} \end{frame}