NeTS-ANET: SSL Misuse, Web Bugs, and Open Redirects: Prevalence, Implications, and Defense

NeTS-ANET：SSL 滥用、Web 错误和开放重定向：普遍性、影响和防御

• 批准号: 0831988
• 负责人: Minaxi Gupta
• 金额: $ 10.01万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-09-01 至 2010-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0831988&HistoricalAwards=false
• 关键词: NeTS; ANET; SSL; Misuse; Web

Very little research exists in understanding the risks to users of powerful web features, as seen from a user-centric point of view. This project seeks to fill this void by creating a framework for this understanding by studying three classes of known (and urgent) threat: misuses of secure socket layer (SSL), web bugs (a technique for spying on the user of web page), and open redirects (a technique for transferring the user to a different web page perhaps without detection). These are costly and urgent current threats; results of preliminary research were presented at the USENIX 2008 Workshop on Offensive Technologies and an article in the Washington Post on July 16, 2008 reported on this paper. The project envisions the three specific problems as representing three major classes of the users' web risks and thus leading to a user-centric security framework. The broad research activities include: 1. Measurement: through a combination of active Web crawling and passive observation, the research is quantifying the nature and extent of the three threats, and in the process developing techniques for accurately identifying their occurrences. 2. User-centric correlation studies: When multiple web sites subscribe to the same web bug hosting company, that (malicious) company can track user behavior across multiple sites. This is one example of a correlation threat. The project also studies the correlated threats to user security and privacy. The broader impacts of the project include:1. User security and privacy on the Web: The project advances a user-centric view of security and privacy on the Web. This is a current and urgent social need. The research group has already developed several user-side tools that help prevent or at least reveal problem, and it will continue to develop and publish these to the public domain. 2. Open access to data: crawling the Web is very resource intensive and few sources make this data publicly available. The group makes its data available to the research community.

从以用户为中心的角度来看，很少有研究了解强大的网络功能对用户的风险。 该项目旨在通过研究三类已知（和紧急）威胁来创建一个框架来填补这一空白：滥用安全套接字层（SSL），Web bug（监视网页用户的技术）和开放重定向（将用户转移到不同网页的技术，可能不会被检测到）。 这些都是当前代价高昂且紧迫的威胁;初步研究的结果在USENIX 2008年进攻性技术研讨会上发表，华盛顿邮报2008年7月16日的一篇文章报道了这篇论文。 该项目设想这三个具体问题代表三个主要类别的用户的网络风险，从而导致以用户为中心的安全框架。 广泛的研究活动包括：1。测量单位：通过主动网络爬行和被动观察的结合，研究正在量化这三种威胁的性质和程度，并在此过程中开发准确识别其发生的技术。2.以用户为中心的相关性研究：当多个网站订阅同一个网站漏洞托管公司时，该（恶意）公司可以跨多个网站跟踪用户行为。 这是相关性威胁的一个例子。 该项目还研究了对用户安全和隐私的相关威胁。 该项目的主要影响包括：1。Web上的用户安全和隐私：该项目提出了以用户为中心的Web安全和隐私观点。 这是当前迫切的社会需求。 该研究小组已经开发了几个用户端工具，有助于防止或至少揭示问题，它将继续开发和发布这些到公共领域。2.开放数据访问：抓取Web是非常资源密集型的，很少有来源公开这些数据。该小组将其数据提供给研究界。