Encryption is often proposed as a tool for protecting the privacy of World Wide Web browsing. However, encryption-particularly as typically implemented in, or in concert with popular Web browsers-does not hide all information about the encrypted plaintext. Specifically, HTTP object count and sizes are often revealed (or at least incompletely concealed). We investigate the identifiability of World Wide Web traffic based on this unconcealed information in a large sample of Web pages, and show that it suffices to identify a significant fraction of them quite reliably. We also suggest some possible countermeasures against the exposure of this kind of information and experimentally evaluate their effiectiveness.

End-to-end performance measurement is fundamental to building high-performance Internet services. While many Internet services often operate using HTTP over SSL/TLS, current monitors are limited to plaintext HTTP services. This paper presents sMonitor, a non-intrusive server-side end-to-end performance monitor that can monitor HTTPS services. The monitor passively collects live packet traces from a server site. It then uses a sizebased analysis method on HTTP requests to infer characteristics of client accesses and measures client-perceived pageview response time in real time. We designed and implemented a prototype of sMonitor. Preliminary evaluations show measurement error of less than 5%. 1

We propose a model for large-scale smartphone based sensor networks, with sensor information processed by clouds and grids, with a mediation layer for processing, filtering and other mashups done via a brokering network. Final aggregate results are assumed to be sent to users through traditional cloud interfaces such as browsers. We conjecture that such a network configuration will have significant sensing applications, and perform some preliminary work in both defining the system, and considering threats to the system as a whole from different perspectives. We then discuss our current, initial approaches to solving three portions of the overall security architecture: i) Risk Analysis relating to the possession and environment of the smartphone sensors, ii) New malware threats and defenses installed on the sensor network proper, and iii) An analysis of covert channels being used to circumvent encryption in the user/cloud interface.

Abstract not found

Web applications divide their state between the client and the server. The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks, even over encrypted connections. We describe a black-box tool for detecting and quantifying the severity of side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. By viewing the adversary as a multi-dimensional classifier, we develop a methodology to more thoroughly measure the distinguishably of network traffic for a variety of classification metrics. We evaluate our detection system on several deployed web applications, accounting for proposed client and server-side defenses. Our results illustrate the limitations of entropy measurements used in previous work and show how our new metric based on the Fisher criterion can be used to more robustly reveal side-channels in web applications. 1.

We aim to secure smart sensor networks, where computationally powerful sensing devices such as smartphones or cognitive radios interact with the cloud. In previous work, we have proposed a large-scale brokering framework, and we are researching several facets of securing sensors in the context of this framework. In this paper we discuss initial results for three portions of this effort, challenges that remain for secure sensor networks, and specific directions we are currently pursuing. In particular, we discuss our work on (i) Sensor risk assessment, relating to the possession and environment of the smartphone sensors, (ii) New malware threats and defenses installed on the sensor network proper, and (iii) Defense against the side-channel analysis on the Software-as-a-Service infrastructure.