-
Virtual Fidgets: Opportunities and Design Principles for Bringing Fidgeting to Online Learning
Authors:
Sam Ross,
Nicole Sullivan,
**a Yoon
Abstract:
We present design guidelines for incorporating fidgeting into the virtual world as a tool for students in online lectures. Fidgeting is associated with increased attention and self-regulation, and has the potential to help students focus. Currently there are no fidgets, physical or virtual, designed for preserving attention specifically in online learning environments, and no heuristics for design…
▽ More
We present design guidelines for incorporating fidgeting into the virtual world as a tool for students in online lectures. Fidgeting is associated with increased attention and self-regulation, and has the potential to help students focus. Currently there are no fidgets, physical or virtual, designed for preserving attention specifically in online learning environments, and no heuristics for designing fidgets within this domain. We identify three virtual fidget proxies to serve as design probes for studying student experiences with virtual fidgeting. Through a study of eight students using our virtual fidget proxies in online lectures, we identify eight emergent themes that encompass student experience with virtual fidgeting in lectures. Based on these themes, we present four principles for designing domain-specific virtual fidgets for online lectures. We identify that virtual fidgets for lectures should be context-aware, visually appealing, easy to adopt, and physically interactive.
△ Less
Submitted 18 April, 2023;
originally announced April 2023.
-
You get PADDING, everybody gets PADDING! You get privacy? Evaluating practical QUIC website fingerprinting protections for the masses
Authors:
Sandra Siby,
Ludovic Barman,
Christopher Wood,
Marwan Fayed,
Nick Sullivan,
Carmela Troncoso
Abstract:
Website fingerprinting (WF) is a well-know threat to users' web privacy. New internet standards, such as QUIC, include padding to support defenses against WF. Previous work only analyzes the effectiveness of defenses when users are behind a VPN. Yet, this is not how most users browse the Internet. In this paper, we provide a comprehensive evaluation of QUIC-padding-based defenses against WF when u…
▽ More
Website fingerprinting (WF) is a well-know threat to users' web privacy. New internet standards, such as QUIC, include padding to support defenses against WF. Previous work only analyzes the effectiveness of defenses when users are behind a VPN. Yet, this is not how most users browse the Internet. In this paper, we provide a comprehensive evaluation of QUIC-padding-based defenses against WF when users directly browse the web. We confirm previous claims that network-layer padding cannot provide good protection against powerful adversaries capable of observing all traffic traces. We further demonstrate that such padding is ineffective even against adversaries with constraints on traffic visibility and processing power. At the application layer, we show that defenses need to be deployed by both first and third parties, and that they can only thwart traffic analysis in limited situations. We identify challenges to deploy effective WF defenses and provide recommendations to address them.
△ Less
Submitted 15 December, 2022; v1 submitted 15 March, 2022;
originally announced March 2022.
-
Might I Get Pwned: A Second Generation Compromised Credential Checking Service
Authors:
Bijeeta Pal,
Mazharul Islam,
Marina Sanusi,
Nick Sullivan,
Luke Valenta,
Tara Whalen,
Christopher Wood,
Thomas Ristenpart,
Rahul Chattejee
Abstract:
Credential stuffing attacks use stolen passwords to log into victim accounts. To defend against these attacks, recently deployed compromised credential checking (C3) services provide APIs that help users and companies check whether a username, password pair is exposed. These services however only check if the exact password is leaked, and therefore do not mitigate credential tweaking attacks - att…
▽ More
Credential stuffing attacks use stolen passwords to log into victim accounts. To defend against these attacks, recently deployed compromised credential checking (C3) services provide APIs that help users and companies check whether a username, password pair is exposed. These services however only check if the exact password is leaked, and therefore do not mitigate credential tweaking attacks - attempts to compromise a user account with variants of a user's leaked passwords. Recent work has shown credential tweaking attacks can compromise accounts quite effectively even when the credential stuffing countermeasures are in place. We initiate work on C3 services that protect users from credential tweaking attacks. The core underlying challenge is how to identify passwords that are similar to their leaked passwords while preserving honest clients' privacy and also preventing malicious clients from extracting breach data from the service. We formalize the problem and explore ways to measure password similarity that balance efficacy, performance, and security. Based on this study, we design "Might I Get Pwned" (MIGP), a new kind of breach alerting service. Our simulations show that MIGP reduces the efficacy of state-of-the-art 1000-guess credential tweaking attacks by 94%. MIGP preserves user privacy and limits potential exposure of sensitive breach entries. We show that the protocol is fast, with response time close to existing C3 services. We worked with Cloudflare to deploy MIGP in practice.
△ Less
Submitted 18 March, 2022; v1 submitted 29 September, 2021;
originally announced September 2021.
-
Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS
Authors:
Sudheesh Singanamalla,
Suphanat Chunhapanya,
Marek VavruĊĦa,
Tanya Verma,
Peter Wu,
Marwan Fayed,
Kurtis Heimerl,
Nick Sullivan,
Christopher Wood
Abstract:
The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting traffic and hiding co…
▽ More
The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting traffic and hiding content from on-lookers. However, one of the criticisms of DoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS(ODoH) safeguards against this problem. In this paper we ask what it would take to make ODoH practical? We describe ODoH, a practical DNS protocol aimed at resolving this issue by both protecting the client's content and identity. We implement and deploy the protocol, and perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption, while improving client privacy, making ODoH a practical privacy enhancing replacement for the usage of DNS.
△ Less
Submitted 19 November, 2020;
originally announced November 2020.
-
Protocols for Checking Compromised Credentials
Authors:
Lucy Li,
Bijeeta Pal,
Junade Ali,
Nick Sullivan,
Rahul Chatterjee,
Thomas Ristenpart
Abstract:
To prevent credential stuffing attacks, industry best practice now proactively checks if user credentials are present in known data breaches. Recently, some web services, such as HaveIBeenPwned (HIBP) and Google Password Checkup (GPC), have started providing APIs to check for breached passwords. We refer to such services as compromised credential checking (C3) services. We give the first formal de…
▽ More
To prevent credential stuffing attacks, industry best practice now proactively checks if user credentials are present in known data breaches. Recently, some web services, such as HaveIBeenPwned (HIBP) and Google Password Checkup (GPC), have started providing APIs to check for breached passwords. We refer to such services as compromised credential checking (C3) services. We give the first formal description of C3 services, detailing different settings and operational requirements, and we give relevant threat models.
One key security requirement is the secrecy of a user's passwords that are being checked. Current widely deployed C3 services have the user share a small prefix of a hash computed over the user's password. We provide a framework for empirically analyzing the leakage of such protocols, showing that in some contexts knowing the hash prefixes leads to a 12x increase in the efficacy of remote guessing attacks. We propose two new protocols that provide stronger protection for users' passwords, implement them, and show experimentally that they remain practical to deploy.
△ Less
Submitted 4 September, 2019; v1 submitted 31 May, 2019;
originally announced May 2019.