Projects and Research

The Security Impact of HTTPS Interception

As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception. First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and client-side security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community.
The Security Impact of HTTPS Interception
Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan,
Elie Bursztein, Michael Bailey, J. Alex Halderman, and Vern Paxson
Proc. 24th Network and Distributed System Security Symposium
NDSS '17, San Diego, CA, February 2017
 title = {The Security Impact of {HTTPS} Interception},
 author = {Durumeric, Zakir and Ma, Zane and Springall, Drew and Barnes, Richard and Sullivan, Nick and Bursztein, Elie and Bailey, Michael and Halderman, J Alex and Paxson, Vern},
 booktitle={Network and Distributed Systems Symposium (NDSS’17)},
 year = {2017},
 month = feb,

Measuring the Security Harm of TLS Crypto Shortcuts

TLS has the potential to provide strong protection against network-based attackers and mass surveillance, but many implementations take security shortcuts in order to reduce the costs of cryptographic computations and network round trips. We report the results of a nine-week study that measures the use and security impact of these shortcuts for HTTPS sites among Alexa Top Million domains. We find widespread deployment of DHE and ECDHE private value reuse, TLS session resumption, and TLS session tickets. These practices greatly reduce the protection afforded by forward secrecy: connections to 38% of Top Million HTTPS sites are vulnerable to decryption if the server is compromised up to 24 hours later, and 10% up to 30 days later, regardless of the selected cipher suite. We also investigate the practice of TLS secrets and session state being shared across domains, finding that in some cases, the theft of a single secret value can compromise connections to tens of thousands of sites. These results suggest that site operators need to better understand the tradeoffs between optimizing TLS performance and providing strong security, particularly when faced with nation-state attackers with a history of aggressive, large-scale surveillance.
Measuring the Security Harm of TLS Crypto Shortcuts
Drew Springall, Zakir Durumeric, J. Alex Halderman
16th ACM Internet Measurement Conference
IMC '16, Santa Monica, CA, November 2016
 title = {Measuring the Security Harm of {TLS} Crypto Shortcuts},
 author = {Springall, Drew and Durumeric, Zakir and Halderman, J. Alex},
 booktitle = {Proceedings of the 2016 ACM on Internet Measurement Conference},
 year = {2016},
 month = nov,

FTP: The Forgotten Cloud

Once pervasive, the File Transfer Protocol (FTP) has been largely supplanted by HTTP, SCP, and BitTorrent for transferring data between hosts. Yet, in a comprehensive analysis of the FTP ecosystem as of 2015, we find that there are still more than 13 million FTP servers in the IPv4 address space, 1.1 million of which allow "anonymous" (public) access. These anonymous FTP servers leak sensitive information, such as tax documents and cryptographic secrets. More than 20,000 FTP servers allow public write access, which has facilitated malicious actors' use of free storage as well as malware deployment and click-fraud attacks. We further investigate real-world attacks by deploying eight FTP honeypots, shedding light on how attackers are abusing and exploiting vulnerable servers. We conclude with lessons and recommendations for securing FTP.
FTP: The Forgotten Cloud
Drew Springall, Zakir Durumeric, J. Alex Halderman
46th IEEE/IFIP International Conference on Dependable Systems and Networks
DSN '16, Toulouse, France, June 2016
  title={{FTP}: The Forgotten Cloud},
  author={Springall, Drew and Durumeric, Zakir and Halderman, J Alex},
  booktitle={Dependable Systems and Networks (DSN), 2016 46th Annual IEEE/IFIP International Conference on},

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Best Paper Award, CCS 2015

Pwnie for Most Innovative Research, Black Hat USA 2015

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present a novel flaw in TLS that allows a man-in-the-middle to downgrade connections to “export-grade” Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in this group in minutes. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768- and 1024-bit groups. A small number of fixed or standardized groups are in use by millions of TLS, SSH, and VPN servers. Performing precomputations on a few of these groups would allow a passive eavesdropper to decrypt a large fraction of Internet traffic. In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann
Proc. 22nd ACM Conference on Computer and Communications Security
CCS ’15, Denver, CO, October 2015
    title = {Imperfect Forward Secrecy: {H}ow {D}iffie-{H}ellman Fails
        in Practice},
    author = {David Adrian and Karthikeyan Bhargavan and Zakir Durumeric
        and Pierrick Gaudry and Matthew Green and J. Alex
        Halderman and Nadia Heninger and Drew Springall and
        Emmanuel Thom\'e and Luke Valenta and Benjamin
        VanderSloot and Eric Wustrow and Santiago
        Zanella-B\'eguelin and Paul Zimmermann},
    booktitle = {22nd ACM Conference on Computer and Communications
    year = {2015},
    month = oct,

Security Analysis of the Estonian Internet Voting System

Estonia was the first country in the world to use Internet voting nationally, and today more than 30% of its ballots are cast online. In this paper, we analyze the security of the Estonian I-voting system based on a combination of in-person election observation, code review, and adversarial testing. Adopting a threat model that considers the advanced threats faced by a national election system—including dis- honest insiders and state-sponsored attacks—we find that the I-voting system has serious architectural limitations and procedural gaps that potentially jeopardize the integrity of elections. In experimental attacks on a reproduction of the system, we demonstrate how such attackers could target the election servers or voters’ clients to alter election results or undermine the legitimacy of the system. Our findings illustrate the practical obstacles to Internet voting in the modern world, and they carry lessons for Estonia, for other countries considering adopting such systems, and for the security research community.
Security Analysis of the Estonian Internet Voting System
Drew Springall, Travis Finkenauer, Zakir Durumeric, Jason Kitcat, Harri Hursti, Margaret MacAlpine, and J. Alex Halderman
Proc. 21st ACM Conference on Computer and Communications Security
CCS ’14, Scottsdale, AZ, November 2014

    author = {Drew Springall, Travis Finkenauer, Zakir Durumeric,
        Jason Kitcat, Harri Hursti, Margaret MacAlpine,
        and J. Alex Halderman}
    title = {Security Analysis of the {E}stonian {I}nternet Voting System},
    booktitle = {Proceedings of the 21st ACM Conference on Computer and
        Communications Security},
    year = {2014},
    month = nov,