• Publications
  • Influence
Stronger Password Authentication Using Browser Extensions
We describe a browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks.Expand
  • 427
  • 38
  • PDF
Robust defenses for cross-site request forgery
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-siteExpand
  • 420
  • 36
  • PDF
HTTP Strict Transport Security (HSTS)
This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with givenExpand
  • 175
  • 32
An Analysis of Private Browsing Modes in Modern Browsers
We study the security and privacy of private browsing modes recently added to all major browsers. We first propose a clean definition of the goals of private browsing and survey its implementation inExpand
  • 174
  • 16
  • PDF
Securing frame communication in browsers
Many Web sites embed third-party content in frames, relying on the browser's security policy to protect against malicious content. However, frames provide insufficient isolation in browsers that letExpand
  • 175
  • 16
  • PDF
Analyzing Forged SSL Certificates in the Wild
The SSL man-in-the-middle attack uses forged SSL certificates to intercept encrypted connections between clients and servers. However, due to a lack of reliable indicators, it is still unclear howExpand
  • 131
  • 13
  • PDF
Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure
Recent trends in public-key infrastructure research explore the tradeoff between decreased trust in Certificate Authorities (CAs), resilience against attacks, communication overhead (bandwidth andExpand
  • 128
  • 13
  • PDF
Busting frame busting a study of clickjacking vulnerabilities on popular sites
Web framing attacks such as clickjacking use iframes to hijack a user’s web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. WeExpand
  • 158
  • 13
  • PDF
Clickjacking: Attacks and Defenses
Clickjacking attacks are an emerging threat on the web. In this paper, we design new clickjacking attack variants using existing techniques and demonstrate that existing clickjacking defenses areExpand
  • 119
  • 12
  • PDF
Forcehttps: protecting high-security web sites from network attacks
As wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users from network attackers, but real-worldExpand
  • 112
  • 10
  • PDF