%%% % Certificate transparency %%% @techreport{rfc6962, author = {Ben Laurie and Adam Langley and Emilia Kasper}, title = {{Certificate Transparency}}, number = {6962}, type = {RFC}, institution = {IETF}, year = {2013}, url = {https://tools.ietf.org/html/rfc6962}, } @techreport{rfc9162, author = {Ben Laurie and Eran Messeri and Rob Stradling}, title = {{Certificate Transparency} Version 2.0}, number = {9162}, type = {RFC}, institution = {IETF}, year = {2021}, url = {https://tools.ietf.org/html/rfc9162}, } @misc{google-log-policy, author = {{Google LLC.}}, title = {{Certificate Transparency} in {Chrome}}, howpublished = {\url{https://googlechrome.github.io/CertificateTransparency/ct_policy.html}, accessed 2023-04-30}, } @misc{apple-log-policy, author = {{Apple Inc.}}, title = {Apple's {Certificate Transparency} Policy}, howpublished = {\url{https://support.apple.com/en-us/HT205280}, accessed 2023-04-30}, } @misc{ct-monitors, author = {{Google LLC.}}, title = {The list of existing monitors}, howpublished = {\url{https://certificate.transparency.dev/monitors/}, accessed 2023-04-30}, } @misc{sslmate-history, author = {{SSLMate Inc.}}, title = {Timeline of Certificate Authority Failures}, howpublished = {\url{https://sslmate.com/resources/certificate_authority_failures}, accessed 2023-04-30}, } @misc{merkle-intro, author = {Rasmus Dahlberg}, title = {Transparency log preliminaries}, howpublished = {\url{https://gitlab.torproject.org/rgdd/ct/-/blob/main/doc/tlog-preliminaries.md}, accessed 2023-04-30}, } @article{ct, author = {Ben Laurie}, title = {{Certificate Transparency}}, journal = {CACM}, volume = {57}, number = {10}, year = {2014}, } @article{ct-history, author = {Emily Stark and Joe DeBlasio and Devon O'Brien and Davide Balzarotti and William Enck and Samuel King and Angelos Stavrou}, title = {{Certificate Transparency} in {Google Chrome}: Past, Present, and Future}, journal = {{IEEE} {S\&P}}, volume = {19}, number = {6}, year = {2021}, } @article{sok-sct-auditing, author = {Sarah Meiklejohn and Joe DeBlasio and Devon O'Brien and Chris Thompson and Kevin Yeo and Emily Stark}, title = {{SoK}: {SCT} Auditing in {Certificate Transparency}}, journal = {PETS}, volume = {2022}, number = {3}, } @inproceedings{does-ct-break-the-web, author = {Emily Stark and Ryan Sleevi and Rijad Muminovic and Devon O'Brien and Eran Messeri and Adrienne Porter Felt and Brendan McMillion and Parisa Tabriz}, title = {Does {Certificate Transparency} Break the Web? {Measuring} Adoption and Error Rate}, booktitle = {IEEE S\&P}, year = {2019}, } @inproceedings{ct-formal, author = {Benjamin Dowling and Felix G{\"{u}}nther and Udyani Herath and Douglas Stebila}, title = {Secure Logging Schemes and {Certificate Transparency}}, booktitle = {ESORICS}, year = {2016}, } @techreport{nordberg, author = {Linus Nordberg and Daniel Kahn Gillmor and Tom Ritter}, title = {Gossiping in {CT}}, number = {draft-ietf-trans-gossip-05}, type = {Internet-draft}, institution = {IETF}, year = {2018}, url = {https://tools.ietf.org/html/draft-ietf-trans-gossip-05} } @inproceedings{chuat, author = {Laurent Chuat and Pawel Szalachowski and Adrian Perrig and Ben Laurie and Eran Messeri}, title = {Efficient Gossip Protocols for Verifying the Consistency of Certificate Logs}, booktitle = {CNS}, year = {2015}, } @inproceedings{gunn, author = {Lachlan J. Gunn and Andrew Allison and Derek Abbott}, title = {Safety in Numbers: Anonymization Makes Keyservers Trustworthy}, booktitle = {HotPETs}, year = {2017}, } @article{hof, author = {Benjamin Hof and Georg Carle}, title = {Software Distribution Transparency and Auditability}, journal = {CoRR}, volume = {abs/1711.07278}, year = {2017}, } @inproceedings{syta, author = {Ewa Syta and Iulia Tamas and Dylan Visher and David Isaac Wolinsky and Philipp Jovanovic and Linus Gasser and Nicolas Gailly and Ismail Khoffi and Bryan Ford}, title = {Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning}, booktitle = {IEEE S\&P}, year = {2016}, } @article{trustfabric-arxiv, author = {Sarah Meiklejohn and Pavel Kalinnikov and Cindy S. Lin and Martin Hutchinson and Gary Belvin and Mariana Raykova and Al Cutter}, title = {Think Global, Act Local: Gossip and Client Audits in Verifiable Data Structures}, journal = {CoRR}, volume = {abs/2011.04551}, year = {2020}, } @misc{sigsum-witness, author = {Sigsum Project Contributors}, title = {Witness {API} v0}, howpublished = {\url{https://git.glasklar.is/sigsum/project/documentation/-/blob/main/witness.md}, accessed 2023-04-30}, } @inproceedings{parakeet, author = {Harjasleen Malvai and Lefteris Kokoris{-}Kogias and Alberto Sonnino and Esha Ghosh and Ercan Ozt{\"{u}}rk and Kevin Lewi and Sean F. Lawlor}, title = {Parakeet: Practical Key Transparency for End-to-End Encrypted Messaging}, booktitle = {{NDSS}}, year = {2023}, } @article{dirksen, author = {Alexandra Dirksen and David Klein and Robert Michael and Tilman Stehr and Konrad Rieck and Martin Johns}, title = {{LogPicker}: Strengthening {Certificate Transparency} Against Covert Adversaries}, journal = {PETS}, volume = {2021}, number = {4}, } @misc{ct-over-dns, author = {Ben Laurie}, title = {{Certificate Transparency} over {DNS}}, howpublished = {\url{https://github.com/google/certificate-transparency-rfcs/blob/master/dns/draft-ct-over-dns.md}, accessed 2023-04-30}, } @inproceedings{lueks, author = {Wouter Lueks and Ian Goldberg}, title = {Sublinear Scaling for Multi-Client Private Information Retrieval}, booktitle = {FC}, year = {2015}, } @inproceedings{kales, author = {Daniel Kales and Olamide Omolola and Sebastian Ramacher}, title = {Revisiting User Privacy for {Certificate Transparency}}, booktitle = {IEEE EuroS\&P}, year = {2019}, } @inproceedings{henzinger, author = {Alexandra Henzinger and Matthew M. Hong and Henry Corrigan-Gibbs and Sarah Meiklejohn and Vinod Vaikuntanathan}, title = {One Server for the Price of Two: Simple and Fast Single-Server Private Information Retrieval}, booktitle = {{USENIX Security}}, year = {2023}, } @inproceedings{chase, author = {Melissa Chase and Sarah Meiklejohn}, title = {Transparency Overlays and Applications}, booktitle = {CCS}, year = {2016}, } @article{eskandarian, author = {Saba Eskandarian and Eran Messeri and Joseph Bonneau and Dan Boneh}, title = {{Certificate Transparency} with Privacy}, journal = {PETS}, volume = {2017}, number = {4}, } @misc{opt-in-sct-auditing, title = {Opt-in {SCT} Auditing}, author = {Emily Stark and Chris Thompson}, howpublished = {\url{https://docs.google.com/document/d/1G1Jy8LJgSqJ-B673GnTYIG4b7XRw2ZLtvvSlrqFcl4A/edit}, accessed 2023-04-30}, } @misc{opt-out-sct-auditing, title = {Opt-out {SCT} Auditing in {Chrome}}, author = {Joe DeBlasio}, howpublished = {\url{https://docs.google.com/document/d/16G-Q7iN3kB46GSW5b-sfH5MO3nKSYyEb77YsM7TMZGE/edit}, accessed 2023-04-30}, } @misc{sth-push, author = {Ryan Sleevi and Eran Messeri}, title = {{Certificate Transparency} in {Chrome}: Monitoring {CT} Logs consistency}, howpublished = {\url{https://docs.google.com/document/d/1FP5J5Sfsg0OR9P4YT0q1dM02iavhi8ix1mZlZe_z-ls/edit?pref=2&pli=1}, accessed 2023-04-30}, } @misc{crt.sh, author = {{Sectigo Limited}}, title = {{crt.sh}: certificate search}, howpublished = {\url{https://github.com/crtsh}, accessed 2023-04-30}, } @misc{certspotter, author = {{SSLMate Inc.}}, title = {Cert Spotter---{Certificate Transparency} Monitor}, howpublished = {\url{https://github.com/SSLMate/certspotter}, accessed 2023-04-30}, } @misc{vds, author = {Adam Eijdenberg and Ben Laurie and Al Cutter}, title = {Verifiable Data Structures}, howpublished = {\url{https://github.com/google/trillian/blob/master/docs/papers/VerifiableDataStructures.pdf}, accessed 2023-04-30}, } @inproceedings{coniks, author = {Marcela S. Melara and Aaron Blankstein and Joseph Bonneau and Edward W. Felten and Michael J. Freedman}, title = {{CONIKS:} Bringing Key Transparency to End Users}, booktitle = {{USENIX} Security}, year = {2015}, } @inproceedings{tomescu, author = {Alin Tomescu and Vivek Bhupatiraju and Dimitrios Papadopoulos and Charalampos Papamanthou and Nikos Triandopoulos and Srinivas Devadas}, title = {Transparency Logs via Append-Only Authenticated Dictionaries}, booktitle = {{CCS}}, year = {2019}, } @inproceedings{li, author = {Bingyu Li and Jingqiang Lin and Fengjun Li and Qiongxiao Wang and Qi Li and Jiwu Jing and Congli Wang}, title = {{Certificate Transparency} in the Wild: Exploring the Reliability of Monitors}, booktitle = {{CCS}}, year = {2019}, } @misc{ayer-on-li, author = {Andrew Ayer}, title = {Reliability of Monitors | Mitigations}, howpublished = {\url{https://groups.google.com/a/chromium.org/g/ct-policy/c/zCtQrn_7QK8}, accessed 2023-04-30}, } @misc{cloudflare-scts, author = {Nick Sullivan}, title = {Understanding use-cases for {SCTs} delivered via {OCSP} stapling for {TLS} extension}, howpublished = {\url{https://groups.google.com/a/chromium.org/g/ct-policy/c/WX6iZt7uJBs}, accessed 2023-04-30}, } @misc{izenpe-err, author = {Ryan Sleevi}, title = {Upcoming {CT} Log Removal: {Izenpe}}, howpublished = {\url{https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/qOorKuhL1vA}, accessed 2023-04-30}, } @misc{venafi-err, author = {Ryan Sleevi}, title = {Upcoming Log Removal: {Venafi CT} Log Server}, howpublished = {\url{https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/KMAcNT3asTQ}, accessed 2023-04-30}, } @misc{trustasia-err, author = {Andrew Ayer}, title = {{Trust Asia} 2021 has produced inconsistent {STHs}}, howpublished = {\url{https://groups.google.com/a/chromium.org/g/ct-policy/c/VJaSg717m9g}, accessed 2023-04-30}, } @misc{google-err, author = {Paul Hadfield}, title = {Google {Aviator} incident under investigation}, howpublished = {\url{https://groups.google.com/a/chromium.org/g/ct-policy/c/ZZf3iryLgCo/m/mi-4ViMiCAAJ}, accessed 2023-04-30}, } @misc{starcom-err, author = {Ryan Sleevi}, title = {{StartCom} Log misbehaving: Failure to incorporate {SCTs}}, howpublished = {\url{https://groups.google.com/a/chromium.org/g/ct-policy/c/92HIh2vG6GA/m/hBEHxcpoCgAJ}, accessed 2023-04-30}}, } @misc{wosign-err, author = {Graham Edgecombe}, title = {{WoSign} log failure to incorporate entry within the {MMD}}, howpublished = {\url{https://groups.google.com/a/chromium.org/g/ct-policy/c/-eV4Xe8toVk/m/pC5gSjJKCwAJ}, accessed 2023-04-30}, } @misc{digicert-err, author = {Andrew Ayer}, title = {Retiring {DigiCert} Log Server (aka {``CT1''}) in {Chrome}}, howpublished = {\url{https://groups.google.com/a/chromium.org/g/ct-policy/c/P5aj4JEBFPM/m/9AEcvY01EQAJ}, accessed 2023-04-30}, } @misc{digicert-kc, title = {{CT2} Log Compromised via {Salt} Vulnerability}, author = {Jeremy Rowley}, howpublished = {\url{https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM}, accessed 2023-04-30}, } %%% % Tor and traffic analysis %%% @misc{tpo, author = {Tor Project}, title = {Browse Privately. {Explore} Freely. {Defend} yourself against tracking and surveillance. {Circumvent} censorship.}, howpublished = {\url{https://www.torproject.org/}, accessed 2022-04-30}, } @inproceedings{tor, author = {Roger Dingledine and Nick Mathewson and Paul F. Syverson}, title = {Tor: The Second-Generation Onion Router}, booktitle = {{USENIX Security}}, year = {2004}, } @misc{tb, author = {Mike Perry and Erinn Clark and Steven Murdoch and Georg Koppen}, title = {The Design and Implementation of the {Tor Browser [DRAFT]}}, howpublished = {\url{https://2019.www.torproject.org/projects/torbrowser/design/}, accessed 2023-04-30}, } @inproceedings{mani, author = {Akshaya Mani and T. Wilson{-}Brown and Rob Jansen and Aaron Johnson and Micah Sherr}, title = {Understanding {Tor} Usage with Privacy-Preserving Measurement}, booktitle = {{IMC}}, year = {2018} } @inproceedings{johnson13, author = {Aaron Johnson and Chris Wacek and Rob Jansen and Micah Sherr and Paul F. Syverson}, title = {Users get routed: traffic correlation on {Tor} by realistic adversaries}, booktitle = {{CCS}}, year = {2013} } @inproceedings{nasr18, author = {Milad Nasr and Alireza Bahramali and Amir Houmansadr}, title = {{DeepCorr}: Strong Flow Correlation Attacks on {Tor} Using Deep Learning}, booktitle = {{CCS}}, year = {2018} } @article{rimmer22, author = {Vera Rimmer and Theodor Schnitzler and Tom van Goethem and Abel Rodr{\'{\i}}guez Romero and Wouter Joosen and Katharina Kohls}, title = {Trace Oddity: Methodologies for Data-Driven Traffic Analysis on {Tor}}, journal = {PETS}, volume = {2022}, number = {3}, } @inproceedings{oh22, author = {Se Eun Oh and Taiji Yang and Nate Mathews and James K. Holland and Mohammad Saidur Rahman and Nicholas Hopper and Matthew Wright}, title = {{DeepCoFFEA}: Improved Flow Correlation Attacks on {Tor} via Metric Learning and Amplification}, booktitle = {{IEEE} {S\&P}}, year = {2022}, } @article{cheng98, title = {Traffic analysis of {SSL} encrypted web browsing}, author = {Cheng, Heyning and Avnur, Ron}, journal = {Project paper, University of Berkeley}, year = {1998} } @inproceedings{herrmann09, author = {Dominik Herrmann and Rolf Wendolsky and Hannes Federrath}, title = {Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial na{\"{\i}}ve-bayes classifier}, booktitle = {{CCSW}}, year = {2009} } @inproceedings{hintz02, author = {Andrew Hintz}, title = {Fingerprinting Websites Using Traffic Analysis}, booktitle = {{PETS}}, year = {2002} } @inproceedings{liberatore06, author = {Marc Liberatore and Brian Neil Levine}, title = {Inferring the source of encrypted {HTTP} connections}, booktitle = {{CCS}}, year = {2006} } @inproceedings{panchenko11, author = {Andriy Panchenko and Lukas Niessen and Andreas Zinnen and Thomas Engel}, title = {Website fingerprinting in onion routing based anonymization networks}, booktitle = {{WPES}}, year = {2011} } @inproceedings{sun02, author = {Qixiang Sun and Daniel R. Simon and Yi{-}Min Wang and Wilf Russell and Venkata N. Padmanabhan and Lili Qiu}, title = {Statistical Identification of Encrypted Web Browsing Traffic}, booktitle = {{IEEE S\&P}}, year = {2002} } @inproceedings{juarez14, author = {Marc Ju{\'{a}}rez and Sadia Afroz and Gunes Acar and Claudia D{\'{\i}}az and Rachel Greenstadt}, title = {A Critical Evaluation of Website Fingerprinting Attacks}, booktitle = {{CCS}}, year = {2014}, } @misc{perryCrit, author = {Mike Perry}, title = {A Critique of Website Traffic Fingerprinting Attacks}, howpublished = {\url{https://blog.torproject.org/critique-website-traffic-fingerprinting-attacks}, accessed 2023-04-30}, } @article{realistic, author = {Tao Wang and Ian Goldberg}, title = {On Realistically Attacking {Tor} with Website Fingerprinting}, journal = {PETS}, volume = {2016}, number = {4}, } @inproceedings{onlinewf, title={Online Website Fingerprinting: Evaluating Website Fingerprinting Attacks on {Tor} in the Real World}, author={Cherubin, Giovanni and Jansen, Rob and Troncoso, Carmela}, booktitle={{USENIX Security}}, year={2022} } @inproceedings{df, author = {Payap Sirinam and Mohsen Imani and Marc Ju{\'{a}}rez and Matthew Wright}, title = {Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning}, booktitle = {{CCS}}, year = {2018} } @article{tiktok, author = {Mohammad Saidur Rahman and Payap Sirinam and Nate Mathews and Kantha Girish Gangadhara and Matthew Wright}, title = {{Tik-Tok}: The Utility of Packet Timing in Website Fingerprinting Attacks}, journal = {{PETS}}, volume = {2020}, number = {3}, } @inproceedings{wfdef, title={{SoK}: A Critical Evaluation of Efficient Website Fingerprinting Defenses}, author={Mathews, Nate and Holland, James K and Oh, Se Eun and Rahman, Mohammad Saidur and Hopper, Nicholas and Wright, Matthew}, booktitle = {{IEEE} S{\&}P}, year={2023} } @inproceedings{spoiled-onions, author = {Philipp Winter and Richard K{\"{o}}wer and Martin Mulazzani and Markus Huber and Sebastian Schrittwieser and Stefan Lindskog and Edgar R. Weippl}, title = {Spoiled Onions: Exposing Malicious {Tor} Exit Relays}, booktitle = {PETS}, year = {2014}, } @inproceedings{murdoch05, author = {Steven J. Murdoch and George Danezis}, title = {Low-Cost Traffic Analysis of {Tor}}, booktitle = {{IEEE S\&P}}, year = {2005}, } @inproceedings{chakravarty10, author = {Sambuddho Chakravarty and Angelos Stavrou and Angelos D. Keromytis}, title = {Traffic Analysis against Low-Latency Anonymity Networks Using Available Bandwidth Estimation}, booktitle = {{ESORICS}}, year = {2010}, } @inproceedings{mittal11, author = {Prateek Mittal and Ahmed Khurshid and Joshua Juen and Matthew Caesar and Nikita Borisov}, title = {Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting}, booktitle = {{CCS}}, year = {2011}, } @inproceedings{greschbach, author = {Benjamin Greschbach and Tobias Pulls and Laura M. Roberts and Phillip Winter and Nick Feamster}, title = {The Effect of {DNS} on {Tor}'s Anonymity}, booktitle = {{NDSS}}, year = {2017}, } @inproceedings{siby20, author = {Sandra Siby and Marc Ju{\'{a}}rez and Claudia D{\'{\i}}az and Narseo Vallina{-}Rodriguez and Carmela Troncoso}, title = {Encrypted {DNS} -{\textgreater} Privacy? {A} Traffic Analysis Perspective}, booktitle = {NDSS}, year = {2020}, } @misc{anonterm, title={A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management}, author={Pfitzmann, Andreas and Hansen, Marit}, publisher={Dresden, Germany}, year={2010}, } ### # Side-channels ### @inproceedings{kocher96, author = {Paul C. Kocher}, title = {Timing Attacks on Implementations of {Diffie-Hellman}, {RSA}, {DSS}, and Other Systems}, booktitle = {{CRYPTO}}, year = {1996}, } @inproceedings{dbrumley03, author = {David Brumley and Dan Boneh}, title = {Remote Timing Attacks Are Practical}, booktitle = {{USENIX} Security}, year = {2003}, } @inproceedings{tsunoo03, author = {Yukiyasu Tsunoo and Teruo Saito and Tomoyasu Suzaki and Maki Shigeri and Hiroshi Miyauchi}, title = {Cryptanalysis of {DES} Implemented on Computers with Cache}, booktitle = {{CHES}}, year = {2003}, } @article{crosby09, author = {Scott A. Crosby and Dan S. Wallach and Rudolf H. Riedi}, title = {Opportunities and Limits of Remote Timing Attacks}, journal = {{ACM} Trans. Inf. Syst. Secur.}, volume = {12}, number = {3}, year = {2009}, } @inproceedings{bbrumley11, author = {Billy Bob Brumley and Nicola Tuveri}, title = {Remote Timing Attacks Are Still Practical}, booktitle = {{ESORICS}}, year = {2011}, } @article{ge18, author = {Qian Ge and Yuval Yarom and David A. Cock and Gernot Heiser}, title = {A survey of microarchitectural timing attacks and countermeasures on contemporary hardware}, journal = {JCEN}, volume = {8}, number = {1}, year = {2018}, } @inproceedings{mart21, author = {Macarena C. Mart{\'{\i}}nez{-}Rodr{\'{\i}}guez and Ignacio M. Delgado{-}Lozano and Billy Bob Brumley}, title = {{SoK}: Remote Power Analysis}, booktitle = {{ARES}}, year = {2021}, } @inproceedings{lucky13, author = {Nadhem J. AlFardan and Kenneth G. Paterson}, title = {Lucky Thirteen: Breaking the {TLS} and {DTLS} Record Protocols}, booktitle = {{IEEE} {S\&P}}, year = {2013}, } @inproceedings{heist, author = {Mathy Vanhoef and Tom Van Goethem}, title = {{HEIST}: {HTTP} Encrypted Information can be Stolen through {TCP}-windows}, booktitle = {Black Hat US Briefings}, year = {2016}, } @inproceedings{timeless, author = {Tom van Goethem and Christina P{\"{o}}pper and Wouter Joosen and Mathy Vanhoef}, title = {Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections}, booktitle = {{USENIX} Security}, year = {2020}, } @inproceedings{wang22, author = {Yingchen Wang and Riccardo Paccagnella and Elizabeth Tang He and Hovav Shacham and Christopher W. Fletcher and David Kohlbrenner}, title = {Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86}, booktitle = {{USENIX} Security}, year = {2022}, } %%% % Research methods %%% @inproceedings{sse, author = {Cormac Herley and Paul C. van Oorschot}, title = {{SoK}: Science, Security and the Elusive Goal of Security as a Scientific Pursuit}, booktitle = {{IEEE} {S\&P}}, year = {2017}, } @inproceedings{smics, author = {Dodig-Crnkovic, Gordana}, title = {Scientific methods in computer science}, booktitle = {Proceedings of the Conference for the Promotion of Research in IT at New Universities and at University Colleges in Sk\"{o}vde, Sweden}, year = {2002}, } @article{icss, author = {Denning, Peter J}, title = {Is computer science science?}, journal = {CACM}, volume = {48}, number = {4}, year = {2005}, } @article{rfenr, author = {Vaibhav Bajpai and Anna Brunstr{\"{o}}m and Anja Feldmann and Wolfgang Kellerer and Aiko Pras and Henning Schulzrinne and Georgios Smaragdakis and Matthias W{\"{a}}hlisch and Klaus Wehrle}, title = {The Dagstuhl beginners guide to reproducibility for experimental networking research}, journal = {CCR}, volume = {49}, number = {1}, year = {2019}, } % "There are several reasons why definitions are important [...]" % "[...] focusing their efforts on devising attacks that are outside the model" @article{secdefs, author = {Neal Koblitz and Alfred Menezes}, title = {Another look at security definitions}, journal = {AMC}, volume = {7}, number = {1}, year = {2013}, } % §1.1 gives the background of the first reduction proofs / provable security @article{provsec, author = {Neal Koblitz and Alfred Menezes}, title = {Another Look at ``Provable Security''}, journal = {J. Cryptol.}, volume = {20}, number = {1}, year = {2007}, } %%% % Naming of onion services %%% @misc{onion-location, author = {Tor Project}, title = {{Onion-Location}}, howpublished = {\url{https://community.torproject.org/onion-services/advanced/onion-location/}, accessed 2023-04-30}, } @misc{kadianakis, author = {George Kadianakis and Yawning Angel and David Goulet}, title = {A Name System {API} for {Tor} Onion Services}, howpublished = {\url{https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/279-naming-layer-api.txt}, accessed 2023-04-30}, } @misc{muffet-onions, author = {Alec Muffett}, title = {Real-World Onion Sites}, howpublished = {\url{https://github.com/alecmuffett/real-world-onion-sites}, accessed 2023-04-30}, } @phdthesis{nurmi, author = {Nurmi, Juha}, title = {Understanding the Usage of Anonymous Onion Services}, year = {2019}, school = {Tampere University, Finland}, } @Misc{h-e-securedrop, author = {SecureDrop}, title = {Getting an Onion Name for Your {SecureDrop}}, howpublished = {\url{https://securedrop.org/faq/getting-onion-name-your-securedrop/}, accessed 2023-04-30}, } @article{onio-ns, author = {Jesse Victors and Ming Li and Xinwen Fu}, title = {The Onion Name System}, journal = {PETS}, volume = {2017}, number = {1}, } %%% % Other %%% @inproceedings{le, author = {Josh Aas and Richard Barnes and Benton Case and Zakir Durumeric and Peter Eckersley and Alan Flores{-}L{\'{o}}pez and J. Alex Halderman and Jacob Hoffman{-}Andrews and James Kasten and Eric Rescorla and Seth D. Schoen and Brad Warren}, title = {{Let's Encrypt}: An Automated Certificate Authority to Encrypt the Entire Web}, booktitle = {{CCS}}, year = {2019}, } @inproceedings{sok-https, author = {Jeremy Clark and Paul C. van Oorschot}, title = {{SoK}: {SSL} and {HTTPS:} Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements}, booktitle = {{IEEE} {S\&P}}, year = {2013}, } @inproceedings{browser-ui, author = {Emanuel von Zezschwitz and Serena Chen and Emily Stark}, title = {``{It} builds trust with the customers''---Exploring User Perceptions of the Padlock Icon in Browser {UI}}, booktitle = {{IEEE} SPW}, year = {2022}, } @article{tls-timeline, author = {Ralph Holz and Jens Hiller and Johanna Amann and Abbas Razaghpanah and Thomas Jost and Narseo Vallina{-}Rodriguez and Oliver Hohlfeld}, title = {Tracking the deployment of {TLS} 1.3 on the web: a story of experimentation and centralization}, journal = {CCR}, volume = {50}, number = {3}, year = {2020}, } @misc{mls, author = {Nick Sullivan and Sean Turner}, title = {Messaging Layer Security: Secure and Usable End-to-End Encryption}, howpublished = {\url{https://www.ietf.org/blog/mls-secure-and-usable-end-to-end-encryption/}, accessed 2023-04-30}, } @inproceedings{wireguard, author = {Jason A. Donenfeld}, title = {WireGuard: Next Generation Kernel Network Tunnel}, booktitle = {{NDSS}}, year = {2017}, } @techreport{rfc8484, author = {Paul Hoffman and Patrick McManus}, title = {{DNS} Queries over {HTTPS} ({DoH})}, number = {8484}, type = {RFC}, institution = {IETF}, year = {2018}, howpublished = {https://tools.ietf.org/html/rfc8484}, } @misc{zerodium, author = {{Zerodium}}, title = {We pay big bounties}, howpublished = {\url{https://zerodium.com/}, accessed 2023-04-30}, } @misc{ca/b, author = {{CA/Browser Forum}}, title = {Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates}, howpublished = {\url{https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.7.pdf}, accessed 2023-04-30}, } @misc{crt:www.example.com, author = {{Sectigo Limited}}, title = {crt.sh: certificate search {ID = '8913351873'}}, howpublished = {\url{https://crt.sh/?id=8913351873}, accessed 2023-04-30}, } @inproceedings{merkle, author = {Ralph C. Merkle}, title = {A Digital Signature Based on a Conventional Encryption Function}, booktitle = {{CRYPTO}}, year = {1987}, } @inproceedings{history-trees, author = {Scott A. Crosby and Dan S. Wallach}, title = {Efficient Data Structures For Tamper-Evident Logging}, booktitle = {{USENIX} Security}, year = {2009}, } @techreport{black-tulip, author = {Hans Hoogstraaten}, title = {Black Tulip---Report of the investigation into the {DigiNotar} Certificate Authority breach}, institution = {Fox-IT}, year = {2012}, } @inproceedings{bambo-cas, author = {Henry Birge{-}Lee and Yixin Sun and Anne Edmundson and Jennifer Rexford and Prateek Mittal}, title = {Bamboozling Certificate Authorities with {BGP}}, booktitle = {{USENIX Security}}, year = {2018}, } @article{rtb, author = {Jun Wang and Weinan Zhang and Shuai Yuan}, title = {Display Advertising with Real-Time Bidding {(RTB)} and Behavioural Targeting}, journal = {Foundations and Trends in Information Retrieval}, year = {2017} } @techreport{ocsp, author = {Santesson, Stefan and Myers, Michael and Ankney, Rich and Malpani, Ambarish and Galperin, Slava and Adams, Carlisle}, title = {X.509 {Internet} Public Key Infrastructure Online Certificate Status Protocol---{OCSP}}, number = {6960}, type = {RFC}, institution = {IETF}, year = {2013}, url = {https://tools.ietf.org/html/rfc2560}, } @misc{trsb, author = {Tor Project}, title = {Research Safety Board}, howpublished = {\url{https://research.torproject.org/safetyboard/}, accessed 2023-04-30}, }