Title: Building Trust In the Online Ecosystem through Empirical Evaluations of Web Security and Privacy Concerns.
Date: Monday, July 17, 2023.
Time: 11am – 1pm EST.
Location: MS Teams meeting: link (ID: 296 859 795 059, Passcode: 9UqRXg)
Dhruv Kuchhal
Ph.D. Candidate in Computer Science
School of Cybersecurity and Privacy
Georgia Institute of Technology
Committee:
Dr. Frank Li (Advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Paul Pearce, School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Brendan Saltaformaggio, School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Alberto Dainotti, School of Computer Science, Georgia Institute of Technology
Dr. Adam Oest, PayPal, Inc.
Abstract:
Security and privacy concerns for the web can manifest in practice due to inadvertent misconfigurations, or intentionally be considered an acceptable risk to promote better usability or compatibility. Our community needs to monitor when these concerns become realistic threats that erode trust in the ecosystem, so that appropriate defenses can be adopted to mitigate the threats while minimizing the decline in usability. To take a meaningful next step towards improving the state of trust and safety for users on the web, it is imperative to first bridge the gap between theory and practice by corroborating with evidence the extent to which such weaknesses exist on the web today. This dissertation demonstrates how large-scale empirical studies help uncover such gaps in real-world implementations.
Trust and safety go both ways between users and online platforms. To study the security and privacy concerns for platforms, we present measurement techniques to (i) analyze the practical security provided by passwordless authentication to securely authenticate users when deployed in the real world, and (ii) evaluate the efficacy of YouTube's anti-abuse measures to protect their content from manipulation by malicious actors in terms of organically produced fake engagement. On the other hand, for users to trust online services with their data, they too expect a certain level of privacy when online. To that end, our work explores the privacy implications of (i) local network communications by popular websites, and (ii) invasive access to a user's web activity by in-app browsers in popular Android apps.
Through the studies presented in this dissertation, we find that measurement methods, such as the ones we present, are effective at highlighting the gaps between secure configurations that exist in theory, and real-world implementations which seldom follow best practices. Across various contexts, we learn that the gaps exist because web services optimize for lower user friction, without taking full cognizance of the risks involved. Ultimately, we demonstrate that for broader adoption of recommendations made by security practitioners in theory, we need increased operational insights of real-world systems.