accept the risk and continue measuring the long tail of
play

Accept the Risk and Continue: Measuring the Long Tail of Government - PowerPoint PPT Presentation

Jan 08, 2023 •382 likes •806 views

Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington Understanding Web Communication Browse to www.cutepuppies.ext (

  1. Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington

  2. Understanding Web Communication Browse to www.cutepuppies.ext ( 2606:2800:220:1:248:1893:25c8:1946 )? cutepuppies.com <html> 2

  3. “ Historically, All transport over the Internet by design, was unencrypted . However over the last few years, that’s been changing with TLS . 3

  4. What is https ? And Why use it? - Secure version of the http protocol - uses TLS for encryption and authentication - Default port: 443 Problems with http : - Lack of privacy/confidentiality : Users’ Internet traffic is visible and can be monitored by an attacker - Lack of authentication/identity: User has no way to validate that the response is actually from the server - Lack of integrity: User has no way to validate that the message is not modified. 4

  5. Certificates and CAs Trusted A public key certificate cryptographically links the ownership of the private key of the server which needs to be verified. 5

  6. Types of Certificates 1. Domain Validation 2. Organization Validation 3. Extended Validation 6

  7. The Rise of CT Logs 1. Domain Validation 2. Organization Validation 3. Extended Validation Extended Validation Certificates are (Really, Really) Dead [1] Chrome and Firefox remove EV indicators. 7 [1] https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

  8. Motivation: https in The Internet Today Google’s https report 1 Measures the top 1 million websites on the Alexa top Million list. Published at USENIX Security 2017. Measuring the Tail Government websites are critical sites which may not show up in top million datasets. These could include national identity systems, citizen registers, tax, and health information. 8 1. Felt, Adrienne Porter, et al. "Measuring https Adoption on the Web." 26th USENIX Security Symposium (USENIX Security 17). 2017.

  9. View of Government Websites Worldwide - Low popularity and ignored in top million datasets - Serve critical information and are authentic sources - Variable domain extensions based on official language .gov .gob.ccTLD .guv.ccTLD .go.ccTLD .gub.ccTLD .admin.ccTLD .govern.ccTLD .gov.ccTLD .fed .fed.ccTLD .mil 9

  10. But… How big of a problem is this? - Popular Government websites in the top million are vulnerable to MITM attacks. - Top government website without https (ranked at 222) belongs to the Chinese government. 10

  11. Fallback Practices in Governments - Requesting users to explicitly accept and move ahead to an insecure webpage. - Website not using “.gov.ccTLD” format - Prior Blue Tick Twitter hack raises legitimacy of this post and could be a carefully orchestrated attack . 11

  12. Broader Ripple Effects of Cert Validity - Certificates critical part of the eSignature and National Biometric Identity infrastructure. - Some governments encourage explicitly adding certificate to an allow list. - Recent attack on HTTPS interception in Kazakhstan [1] all started with an SMS to validate and add certificate to allowlist. [1] https://censoredplanet.org/kazakhstan 12

  13. Popular Datasets & New Govt. Dataset 27,532 unique government Alexa Top Majestic Million Cisco Million Censys Big websites Query Million # Govt. Websites Majestic Million Cisco Million Tranco Million Top 1K 56 0 30 Top 10K 508 14 373 Top 100K 2538 433 2351 Top 1M 12445 ( 1.24% ) 9296 ( 0.93% ) 12293 ( 1.23% ) 13

  14. Chasing the tail... - Crowdsource unique websites from 23 countries. 27,532 27,794 unique unique government government websites websites 14

  15. Chasing the tail... - Crawl upto 7 levels of Depth. 843,561 27,794 hostnames which filter down to 301,219 unique government unique hostnames and 134,812 websites unique government websites 15

  16. The Crawler Implementation DL Bandwidth: 838.88 Mb/s UL Bandwidth: 405.09 Mb/s 24 Core Intel Xeon CPU L5640 - Single ISP. - DNS Lookups for CAA records 16

  17. Crawl Effectiveness - Single vantage point - 7 levels of depth process - Parallelism for countries - Imported Trust Store - Snapshot model Limitations: - Multiple vantage points - Longitudinal View 17

  18. Chasing the tail... - Explicit whitelist and hand curation from 62 countries. 134,812 135,408 unique unique government government websites websites 18

  19. Validating the Certificates - OpenSSL with the Apple Mac OS trust store imported - Download the entire certificate chain and validate 19

  20. Results: At a glance Approx. 72% Government websites worldwide do not have https More than More than 11% 60% Websites result Serve content In an invalid https only using http connection 20

  21. Worldwide Availability & Validity Availability: Ability for the crawler to visit the website https : Websites which serve content using https Validity: Websites which serve content using valid https 21

  22. Worldwide Availability & Validity Interesting Findings: - Massive drop in https adoption from available websites in South Korea and China. - Less than 1.35% of websites use DNS CAA records. 22

  23. Validity by Certificate Authorities - Free CAs like Let’s Encrypt are the leading certificate providers - 80% validity - 20% invalidity - Hostname mismatch - Expiry - Self signed certs. Note : The CAs issuing certs differ by country. 23

  24. What about EV Certificates? 24

  25. Certificate Validity & Common Errors Valid Certificates follow the issuance rules set by the CA/B forum. - 2 or 3 year validity - 1 year validity starting September 2020. Issuance misconfigurations Cryptographic Insecurities 25

  26. Certificate Validity & Common Errors 26

  27. Certificate Reuse - Incorrect use of wildcard certificates - *.portal.gov.bd applied on all *.gov.bd - Use of web server default certificates - “ localhost ” - “ example.com ” - Used across 58 hostnames across 24 countries. - Probably from a popular question-answer website - Allows the ability to intercept, decrypt and modify https traffic. - Indistinguishable if users add certificate to allowed browser exceptions 27

  28. Comparing Validity to World Press Freedom 28

  29. Comparing Validity to Corruption 29

  30. In Depth Case Studies: USA and ROK 1. Both countries have similar HDI scores and Internet adoption rates but have a differing https adoption - USA : 81.12% - ROK : 37.95% 2. Technical sophistication of both countries biases them towards higher https adoption numbers compared to the rest of the world. 3. ROK recently moved out of its own NPKI infrastructure to use global standards, and USA mandates government websites to have https . [Congress S.2749 116-192] Takeaway : https adoption in government websites is below expectations worldwide. 30

  31. Validity by Hosting Type - Use of public cloud services and CDNs still not popular - Lower invalidity rates in websites which use the public cloud services Takeaway : Cloud services and CDNs reduce configuration errors, handle renewals, improve https adoption. 31

  32. What about different levels of Govt? 32

  33. But Wait … What about Non-Gov Websites? Takeaway : Higher public cloud services usage and higher https adoption and validity in Non-Gov Websites. 33

  34. Responsible Disclosures and Notifications - Controlled issuance of Government domains make it easier to reach the country government registrars - Higher response rate (~22%) compared to direct notification studies in the past (~5.8%) - 39 countries who proactively engaged . 34

  35. Impact of Notifications - Scanned the reported websites 2 months later - Silently updated with no response - Unavailable websites back online - http -only traffic upgraded to https : - > 10% improvement in 62 countries - > 40% improvement in 7 countries. We weakly attribute this to the disclosure and notifications. 35

  36. Why should governments care? - Websites are heavily interlinked . - Insecure links can be exploited spreading misinformation - Affects credibility - Misconfigured machines using default server example key-pairs in production websites allow foreign intelligence surveillance. 36

  37. Why should governments care? - Compelled Certificate Creation Attacks - Governments can compel CAs 0 - Disproportionate number of US based CAs Cost of https today - 42 in USA - 6 in Spain, Bermuda - 4 in Taiwan, China, India, Belgium Recommendation : Use Country CA as Intermediate CA. 37

  38. Why should governments care? - Impersonation Attacks - Easy to purchase resembling domain names and get a free certificate: - abcgov.us - thepresidentgov.us The case of eta.gov.lk & etagov.sl Recommendation : Domain Registrars Implement Additional Checks. 38

  39. Limitations - Potential biases: - Ignores government websites using .net, .com, .org - Potential bias towards larger countries - Potential censorship in countries affecting results - Improve by considering more case studies eg. India, UK, Australia. 39

  40. Future Work 1. S.2749 - DOTGOV Online Trust in Government Act of 2019 2. Encourage the usage of DNSSEC signed CAA records and HSTS Preloading 3. Encourage domain registrars to implement safeguards from domain names which could impersonate government domains. 4. Improve https adoption. 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington

525 views • 18 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington Presented

504 views • 29 slides
The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31

The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31

The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31 41 41 W here the Long Tail Meets the Sneaky Exponential (Cum ulative V alue of Potential Intearctions) 10000 9000 8000 8000 7000 6000

651 views • 9 slides
Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail

Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail

Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail SEO Conversion Depending on your site, you have a goal in mind for your visitor. What are you looking for your visitor to do? What's a

922 views • 17 slides
Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service

Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service

Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service Characterisation: Process of User Dataset Project ID probing and measuring the Projects Instrument ID * Native data structures and properties

259 views • 4 slides
Asset Pricing Chapter IV. Measuring Risk and Risk Aversion June 20, 2006 Asset Pricing 4.1

Asset Pricing Chapter IV. Measuring Risk and Risk Aversion June 20, 2006 Asset Pricing 4.1

4.1 Measuring Risk Aversion 4.2 Interpreting the Measures of Risk Aversion 4.4 Risk Premium and Certainty Equivalence 4.5 Assessing an Investors Level of Relative Risk Aversion 4.6 The Concept of Stochastic Dominance 4.7 Mean Preserving

709 views • 23 slides
Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems

Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems

Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems rarely come packaged as 1M images uniformly belonging to a set of 1000 classes 2 The long tail Well known phenomena where a small number

894 views • 41 slides
Measuring tail dependence for collateral losses using bivariate L evy process Jiwook Jang

Measuring tail dependence for collateral losses using bivariate L evy process Jiwook Jang

Measuring tail dependence for collateral losses using bivariate L evy process Jiwook Jang Actuarial Studies Faculty of Commerce and Economics University of New South Wales Sydney, AUSTRALIA Actuarial Studies Research Symposium 11 November

668 views • 45 slides
Measuring and Optimizing Tail Latency Kathryn S McKinley, Google CRA-W Undergraduate Town Hall

Measuring and Optimizing Tail Latency Kathryn S McKinley, Google CRA-W Undergraduate Town Hall

Measuring and Optimizing Tail Latency Kathryn S McKinley, Google CRA-W Undergraduate Town Hall April 5 th , 2018 Speaker &amp; Moderator The image part with relationship ID rId3 was not found in the file. Lori Pollock Kathryn S McKinley Dr.

677 views • 40 slides
Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail

Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail

Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail A[] (or The Dangers of Threading) Enqueue(): A[tail] = 20; A[tail] = 9; Jonathan Misurda tail++; tail++; thread jmisurda@cs.pitt.edu switch

282 views • 3 slides
TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records O. van der Toorn 1 R. van

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records O. van der Toorn 1 R. van

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records O. van der Toorn 1 R. van Rijswijk-Deij 1 T. Fiebig 2 M. Lindorfer 3 A. Sperotto 1 2020-08-21 1 University of Twente, 2 TU Delft, and 3 TU Wien DNS TXT Records 1 DNS TXT

1.04k views • 51 slides
IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018

IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018

www.pwc.com IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018 Moderator: Barb Murray - Director, PwC Panelists: William Barbagallo, Managing Director, PwC Thomas Cunningham - Partner, Sidley Austin

503 views • 3 slides
The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew

The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew

The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew Mowbray, AustLII Law via the Internet 2011 Conference, Hong Kong First rule of cross-examination Never ask a question if you dont know the

1.18k views • 28 slides
Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating

Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating

Presenting a live 90-minute webinar with interactive Q&amp;A Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating Liability Among Multiple Policies Triggered by Multi-Year Loss TUESDAY, MAY 7, 2013 1pm

1.12k views • 89 slides
Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra

Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra

Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra Blevins and Luke Zettlemoyer The plant sprouted a new leaf. (n) (botany) a (n) buildings for (v) to put or set living organism... carrying on (a

450 views • 41 slides
Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History

Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History

Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History Density has grown 36%/yr: 1956: 2 kb/in 2 2005: 100 gb/in 2 Efficiency (B/$) grew 51%/yr: 1974: 200 MB disk drive price $450 k 1

723 views • 27 slides
Guiding the Evolution of the IANA Protocol Parameter Registries Olaf Kolkman olaf@NLnetLabs.nl

Guiding the Evolution of the IANA Protocol Parameter Registries Olaf Kolkman olaf@NLnetLabs.nl

Guiding the Evolution of the IANA Protocol Parameter Registries Olaf Kolkman olaf@NLnetLabs.nl with Bernard Aboba Bernard.Aboba@gmail.com http://www.iab.org/activities/programs/iana-evolution-program/ 1 Outline The very broad

649 views • 30 slides
Disclosures REBOA: Rapid Aortic Control in the Trauma Patient I have nothing to disclose Shant

Disclosures REBOA: Rapid Aortic Control in the Trauma Patient I have nothing to disclose Shant

u 4/7/2017 Disclosures REBOA: Rapid Aortic Control in the Trauma Patient I have nothing to disclose Shant M. Vartanian, MD Assistant Professor of Surgery Division of Vascular and Endovascular Surgery University of California, San Francisco

365 views • 7 slides
Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy, 9. October 2008 Using P-1, P+1 and ECM in NFS For large factoring projects, memory becomes a limiting resource. Large factor base bound B requires

385 views • 21 slides
TOGETHER WE ARE STRONGER Who are we? Anchored by Dartmouth-Hitchcock Medical Center

TOGETHER WE ARE STRONGER Who are we? Anchored by Dartmouth-Hitchcock Medical Center

TOGETHER WE ARE STRONGER Who are we? Anchored by Dartmouth-Hitchcock Medical Center Anchored by Catholic Medical Center 5 hospitals &amp; 24 sites in NH and VT 3 hospitals, 16 sites and affiliates 650 beds 380 beds

91 views • 8 slides
Metacognition Isnt Just for Students Dr. Lauren Scharff Director, Scholarship of Teaching

Metacognition Isnt Just for Students Dr. Lauren Scharff Director, Scholarship of Teaching

Metacognition Isnt Just for Students Dr. Lauren Scharff Director, Scholarship of Teaching &amp; Learning Professor of Behavioral Sciences U. S. Air Force Academy Agree or Disagree? Many students get stuck in a rut with their learning,

875 views • 49 slides
Zero Suicides in Care initiative 18 March 2020 Stephen Scott Principal Policy Officer, Mental

Zero Suicides in Care initiative 18 March 2020 Stephen Scott Principal Policy Officer, Mental

Zero Suicides in Care initiative 18 March 2020 Stephen Scott Principal Policy Officer, Mental Health Branch 1 Towards Zero Suicides Premiers Priority Target: Reduce the rate of suicide deaths in NSW by 20 per cent, from 10.9 per 100,000

404 views • 38 slides
Jurong Secondary School Sec 1 CCA Display Day 12 January 2019 Programme Overview Principals

Jurong Secondary School Sec 1 CCA Display Day 12 January 2019 Programme Overview Principals

Welcome to Jurong Secondary School Sec 1 CCA Display Day 12 January 2019 Programme Overview Principals Address Talk by Parent Support Group Overview of CCE Programmes Discipline and School Rules Overview of CCA Programmes MSF Talk on

1.61k views • 145 slides
MASS SHOOTINGS: SOCIO-CULTURAL PERSPECTIVES Learning Objectives 1. Discuss the history of mass

MASS SHOOTINGS: SOCIO-CULTURAL PERSPECTIVES Learning Objectives 1. Discuss the history of mass

MASS SHOOTINGS: SOCIO-CULTURAL PERSPECTIVES Learning Objectives 1. Discuss the history of mass shootings 2. Explore causation myths such as medications and mental illness 3. Investigate main socio-cultural factors 4. Integrate

686 views • 53 slides

More recommend