Server Location Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication

  title={Server Location Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication},
  author={Abdelrahman Abdou and Paul C. van Oorschot},
We introduce the first known mechanism providing realtime server location verification. Its uses include enhancing server authentication by enabling browsers to automatically interpret server location information. We describe the design of this new measurement-based technique, Server Location Verification (SLV), and evaluate it using PlanetLab. We explain how SLV is compatible with the increasing trends of geographically distributed content dissemination over the Internet, without causing any… 

Figures and Tables from this paper

EVLA: Extended-Validation Certificates with Location Assurance

This paper proposes Extended-Validation Certificates with Location Assurance (EVLA), a blockchain-based system that increases the security of EV certificates through checking and asserting that a CA and a given entity indeed have met during the certification process.

Secure Client and Server Geolocation over the Internet

A technical overview of Client Presence Verified (CPV) and Server Location Verification (SLV)---two recently proposed techniques designed to verify the geographic locations of clients and servers in realtime over the Internet.

Strengthening Password-Based Web Authentication Through Multiple Supplementary Mechanisms

This thesis contributes to the reinforcement of password-based authentication by pursuing parallel mechanisms that improve security without further burdening users, and expands on the concept of mimicry resistance, a dimension that has been overlooked in the design and study of web authentication schemes.

SSLP-Based Micro-Application Terminal Access Authority Authentication Method

  • Fengjuan MaDawei Song
  • Computer Science
    2021 IEEE Conference on Telecommunications, Optics and Computer Science (TOCS)
  • 2021
This article is mainly based on the analysis of SSLProtocol to design a solution for micro-application terminal access authorization authentication to improve the security performance of e-commerce by more than 50%, make full use of the advantages of Protocol, ensure consumer safety, and improve a healthy and safe network environment.

Risk-based Authentication Based on Network Latency Profiling

This paper designs a classical machine learning model and a deep learning model to profile web resource loading times collected on client-side and shows that the proposed novel network profiling is able to detect up to 88.3% of attacks using VPN tunneling schemes.

Towards Sustainable Evolution for the TLS Public-Key Infrastructure

This work proposes a framework that supports the deployment of multiple PKI enhancements, with the ability to accommodate new, yet unforeseen, enhancements in the future, and enlists the cloud as a "centralized" location where multiple enhancements can be accessed with high availability.

Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols

This work crafted a phishing website that mimics Google login’s page and im-plements a FIDO-downgrade attack, and found that, when using FIDo as their second authentication factor, 55% of participants fell for real-time phishing, and another 35% would potentially be susceptible to the attack in practice.

Exploring Website Location as a Security Indicator

The results suggest that website location can be used as an effective indicator for users' security assessments, and a security indicator to alert the user to changes in website locations is designed.

Location Verification Assisted by a Moving Obstacle for Wireless Sensor Networks

Simulation results show that the proposed scheme achieves high probability of detecting malicious nodes and low probability of treating legitimate nodes as malicious, and the accuracy of the analysis is verified.

A lightweight and cost effective edge intelligence architecture based on containerization technology

This paper suggests and evaluates an architecture on the basis of the distributed edge/cloud integration paradigm and explains all of its advantages which lie in the combination of affordability and several other benefits provided by the fact that data processing is conducted by the edge devices instead of the central server.



SALVE: server authentication with location verification

This paper develops a TLS extension that enables the client to verify the server's location in addition to its certificate, and develops a solution that achieves location-based server authentication by using secure DNS resolution and by leveraging LCS for location measurements.

CPV: Delay-Based Location Verification for the Internet

Client Presence Verification is devised, a delay-based verification technique designed to verify an assertion about a device’s presence inside a prescribed geographic region, which mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client's participating device, and mines these delays for evidence supporting/refuting the asserted location.

The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements

A comprehensive analysis of X.509 certificates in the wild reveals that the quality of certification lacks in stringency, due to a number of reasons among which incorrect certification chains or invalid certificate subjects give the most cause for concern.

Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures

Evidence is provided that most web browsers have severe weaknesses in the browser-to-user communication (graphical user interface), which attackers can exploit to fool users about the presence of a secure SSL/TLS connection and make them disclose secrets to attackers.

SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements

This work survey and categorize prominent security issues with HTTPS and provides a systematic treatment of the history and on-going challenges, intending to provide context for future directions.

Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing

PerSPECTIVES explores a promising part of the host authentication design space: Trust-on-first-use applications gain significant attack robustness without sacrificing their ease-of-use.

Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services

Policy-sealed data can provide greater confidence to Eucalyptus customers that their data is not being mismanaged, and Excalibur uses attribute-based encryption, which reduces the overhead of key management and improves the performance of the distributed protocols employed.

Dynamic pharming attacks and locked same-origin policies for web browsers

Two locked same-origin policies for web browsers are proposed, one of which can be deployed today and interoperate seamlessly with the vast majority of legacy web servers, and the other a simple incrementally deployable opt-in mechanism for legacy servers using policy files.

Forced Perspectives: Evaluating an SSL Trust Enhancement at Scale

It is demonstrated that through local and server caching, a single Convergence deployment can meet the requirements of millions of SSL flows while imposing under 0.1% network overhead and requiring as little as 108 ms to validate a certificate, making Convergence a worthwhile candidate for further deployment and adoption.

The Inconvenient Truth about Web Certificates

A large-scale empirical analysis that considers the top one million most popular websites shows that very few websites implement certificate-based authentication properly and, in most cases, domain mismatches between certificates and websites are observed.