Server Location Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication

  title={Server Location Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication},
  author={Abdelrahman Abdou and Paul C. van Oorschot},
We introduce the first known mechanism providing realtime server location verification. Its uses include enhancing server authentication by enabling browsers to automatically interpret server location information. We describe the design of this new measurement-based technique, Server Location Verification (SLV), and evaluate it using PlanetLab. We explain how SLV is compatible with the increasing trends of geographically distributed content dissemination over the Internet, without causing any… 

Figures and Tables from this paper

EVLA: Extended-Validation Certificates with Location Assurance

This paper proposes Extended-Validation Certificates with Location Assurance (EVLA), a blockchain-based system that increases the security of EV certificates through checking and asserting that a CA and a given entity indeed have met during the certification process.

Secure Client and Server Geolocation over the Internet

A technical overview of Client Presence Verified (CPV) and Server Location Verification (SLV)---two recently proposed techniques designed to verify the geographic locations of clients and servers in realtime over the Internet.

Strengthening Password-Based Web Authentication Through Multiple Supplementary Mechanisms

This thesis contributes to the reinforcement of password-based authentication by pursuing parallel mechanisms that improve security without further burdening users, and expands on the concept of mimicry resistance, a dimension that has been overlooked in the design and study of web authentication schemes.

Risk-based Authentication Based on Network Latency Profiling

This paper designs a classical machine learning model and a deep learning model to profile web resource loading times collected on client-side and shows that the proposed novel network profiling is able to detect up to 88.3% of attacks using VPN tunneling schemes.

Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols

This work crafted a phishing website that mimics Google login’s page and im-plements a FIDO-downgrade attack, and found that, when using FIDo as their second authentication factor, 55% of participants fell for real-time phishing, and another 35% would potentially be susceptible to the attack in practice.

Exploring Website Location as a Security Indicator

The results suggest that website location can be used as an effective indicator for users' security assessments, and a security indicator to alert the user to changes in website locations is designed.

Location Verification Assisted by a Moving Obstacle for Wireless Sensor Networks

Simulation results show that the proposed scheme achieves high probability of detecting malicious nodes and low probability of treating legitimate nodes as malicious, and the accuracy of the analysis is verified.

A lightweight and cost effective edge intelligence architecture based on containerization technology

This paper suggests and evaluates an architecture on the basis of the distributed edge/cloud integration paradigm and explains all of its advantages which lie in the combination of affordability and several other benefits provided by the fact that data processing is conducted by the edge devices instead of the central server.

Identification of IP addresses using fraudulent geolocation data

A system has been developed for detecting IP geolocation fraud in address space spanning over 4 million IPs, and despite focusing on only a small part of the IPv4 address space, analysis has revealed incorrect geolocated being used by over 62,000 internet hosts, targeting 225 out of the 249 possible country codes.

Retrospective IP Address Geolocation for Geography-Aware Internet Services

The results show that it is safe to retrospectively locate IP addresses by a couple of years, but there are differences between IPv4 and IPv6.



SALVE: server authentication with location verification

This paper develops a TLS extension that enables the client to verify the server's location in addition to its certificate, and develops a solution that achieves location-based server authentication by using secure DNS resolution and by leveraging LCS for location measurements.

CPV: Delay-Based Location Verification for the Internet

Client Presence Verification is devised, a delay-based verification technique designed to verify an assertion about a device’s presence inside a prescribed geographic region, which mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client's participating device, and mines these delays for evidence supporting/refuting the asserted location.

The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements

A comprehensive analysis of X.509 certificates in the wild reveals that the quality of certification lacks in stringency, due to a number of reasons among which incorrect certification chains or invalid certificate subjects give the most cause for concern.

When HTTPS Meets CDN: A Case of Authentication in Delegated Service

To address the delegation problem when HTTPS meets CDN, a lightweight solution based on DANE (DNS-based Authentication of Named Entities), an emerging IETF protocol complementing the current Web PKI model is proposed and implemented.

Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures

Evidence is provided that most web browsers have severe weaknesses in the browser-to-user communication (graphical user interface), which attackers can exploit to fool users about the presence of a secure SSL/TLS connection and make them disclose secrets to attackers.

SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements

This work survey and categorize prominent security issues with HTTPS and provides a systematic treatment of the history and on-going challenges, intending to provide context for future directions.

Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing

PerSPECTIVES explores a promising part of the host authentication design space: Trust-on-first-use applications gain significant attack robustness without sacrificing their ease-of-use.

Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services

Policy-sealed data can provide greater confidence to Eucalyptus customers that their data is not being mismanaged, and Excalibur uses attribute-based encryption, which reduces the overhead of key management and improves the performance of the distributed protocols employed.

Dynamic pharming attacks and locked same-origin policies for web browsers

Two locked same-origin policies for web browsers are proposed, one of which can be deployed today and interoperate seamlessly with the vast majority of legacy web servers, and the other a simple incrementally deployable opt-in mechanism for legacy servers using policy files.

Forced Perspectives: Evaluating an SSL Trust Enhancement at Scale

It is demonstrated that through local and server caching, a single Convergence deployment can meet the requirements of millions of SSL flows while imposing under 0.1% network overhead and requiring as little as 108 ms to validate a certificate, making Convergence a worthwhile candidate for further deployment and adoption.