• Publications
  • Influence
Stronger Password Authentication Using Browser Extensions
We describe a browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks.
Robust defenses for cross-site request forgery
This paper presents a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker.
HTTP Strict Transport Security (HSTS)
This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given
Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure
This paper proposes AKI as a new public-key validation infrastructure, to reduce the level of trust in CAs, and proposes an architecture for key revocation of all entities through checks-and-balances.
Securing frame communication in browsers
This work analyzes two techniques for interframe communication between isolated frames and proposes improvements in the <code>postMessage</code> API to provide confidentiality, which has been standardized and adopted in browser implementations.
An Analysis of Private Browsing Modes in Modern Browsers
This work proposes and experiments with a workable policy that lets users safely run extensions in private browsing mode and surveys its implementation in different browsers to suggest that private browsing is used differently from how it is marketed.
Busting frame busting a study of clickjacking vulnerabilities on popular sites
This work studies frame busting practices for the Alexa Top-500 sites and shows that all can be circumvented in one way or another.
Analyzing Forged SSL Certificates in the Wild
This work has designed and implemented a method to detect the occurrence of SSL man-in-the-middle attack on a top global website, Facebook, and indicates that 0.2% of the SSL connections analyzed were tampered with forged SSL certificates.
Clickjacking: Attacks and Defenses
A new defense, InContext, is proposed, in which web sites mark UI elements that are sensitive, and browsers enforce context integrity of user actions on these sensitive UI elements, ensuring that a user sees everything she should see before her action and that the timing of the action corresponds to her intent.
Forcehttps: protecting high-security web sites from network attacks
This work provides a prototype implementation of ForceHTTPS, a simple browser security mechanism that web sites or users can use to opt in to stricter error processing, improving the security of HTTPS by preventing network attacks that leverage the browser's lax error processing.