Community Projects Improving Technical Security Open Internet Standards Technology

An NDSS Newcomer's Perspective

[Editor’s Note: A limited number of student grants are available to help pay for travel, accommodations, and NDSS Symposium registration fees for full-time students attending the 24th annual Network and Distributed System Security (NDSS) Symposium. Watch the NDSS website at for information and deadlines as the process opens for NDSS 2018 in February of next year. The following post is a guest contribution from one 2017 grantee.]

My name is Muhammad Talha Paracha, and I am an undergraduate Software Engineering student from National University of Sciences and Technology, Pakistan. I recently attended the Network and Distributed System Security (NDSS) Symposium 2017, on a fully funded student travel grant sponsored by Internet Society. Since it was my first international travel experience and my first conference, I enjoyed each and every bit of the trip.

There were two reasons I wanted to attend the conference: my interest in the areas of web & usable security and my goal to pursue a career in applied research. Last summer, I implemented an encryption module for Drupal ( Pubkey Encrypt) as a part of the Google Summer of Code’16 program. Thus, I saw NDSS’17 as a place to interact with experts in the field and ask them for feedback on my project. On the other hand, the research culture here in Pakistan is non-existent, especially when it comes to the areas of security. So, I also wanted to get a taste of how it feels to be a part of a research community.

Indeed, meeting scholars from all around the world was the major highlight of my week. The first day of the conference, I was a bit uncertain about my communication skills. But the next two days, I made it a mission to talk to as many people as I can, and to try to initiate meaningful conversations instead of just small talk. As a result, I discussed grad school admissions and got some specific tips based on my profile with professors from CMU, Northeastern, Michigan etc. I engaged in discussions about life in industry with researchers from Microsoft, CISCO, RSA etc. And I identified some research groups I’d really love to work with in future.

I attended all the sessions and particularly enjoyed the one on web security, probably because I understood every talk in it. Though I will admit that in many other sessions, I found it easy to get lost. But that was expected given my limited knowledge in the areas of security. I think my takeaway from the sessions was internalizing the way research at a top-tier conference is presented.

Finally, I’ll add that visiting the States has been my dream for a very long time. Fortunately, everything in my trip went smoothly. I found everyone extremely pleasant to talk to, from the researchers at the symposium to the staff at recreational sites. The weather, the beaches, everything in the city seemed lovely. Maybe I was lucky to visit San Diego which, as per the locals, is the best city in California. Or maybe it’s just the “rosy retrospection” due to the short length of my trip. In any case, US has left a perfect impression on me.

Thank you, Internet Society, for giving me the opportunity to attend NDSS’17. Without the grant, it would’ve been impossible for me to attend the event. I now aspire to come to NDSS’18 next year, not just as an attendee but as an author. And thank you Julie Rowland and Karen O’Donoghue for your liaison and assistance.

[Photo Credit: Tom Hutton]
Building Trust Domain Name System (DNS) Improving Technical Security Open Internet Standards Privacy Technology

DNS Privacy: Solutions emerging, but deployment lags

I recently attended the DNS Privacy Workshop colocated with this year’s NDSS 2017 in San Diego, California. DNS privacy has received considerable attention from researchers and engineers since the Snowden revelations of state-backed pervasive surveillance in 2013 and the workshop covered a lot of ground.

For some Internet users, anonymity is critically important and a service like ToR exists to obfuscate the location and browsing habits of ToR users. Even ToR users have a need to resolve names using DNS however (for non-hidden services) and they are then vulnerable to the exit relay operator’s DNS configuration. The addition of DNS data to existing attack techniques makes attacks more precise, especially for infrequently visited websites (e.g. dissident sites). Exit relay operators are therefore advised to run their own resolvers with QNAME minimisation. In the long term, adding confidentiality to DNS is necessary to prevent it being used as a vector for de-anonymisation of ToR users.

Curiously, ToR was also discussed as a potential solution to the problem of DNS recursive resolver logs falling into the wrong hands. Incorporating a micropayment solution to align incentives and using ToR to anonymise traffic could create a recursive resolution service that wouldn’t have the logging vulnerability problems we see today. Latency of such a service would however be an issue in many cases, which brings me to my next point.

There is a critical tension between contemporary uses of the DNS to provide resilient and low-latency services versus the desire for greater privacy. Most DNS TTLs of the Alexa top 500 are less than 20 minutes. TTLs of 20 minutes make caching solutions and tools like Namecoin effectively impractical for popular sites. One suggestion is to download large caches of DNS data from relatively anonymous locations (libraries, coffeeshops, etc.) and then use those when in more privacy-vulnerable locations, e.g. at home. However within a 2 week window one third of A records (and nearly two thirds of AAAA records … go figure) for the Alexa top 500 have changed, so this approach, while certainly possible, has clear limitations.

While DNS privacy seems like an unambiguously good thing, greater confidentiality of DNS traffic will impact researchers and service providers that rely on passive collection of DNS information. Codifying anonymisation and data access practices may help here.

Workshop participants heard concerns about the pace with which the technical building blocks for adding confidentiality to DNS, namely DNS-over-TLS, are being adopted. However, we should remember that DNS-over-TLS was only standardized 9 months ago in RFC 7858.

In addition to addressing the implementation and deployment challenge, the DNS community needs to heed the lessons about usable security that have been learned, e.g. from HTTP(S) security indicators and SSL Certificate warnings. In order for DNS privacy solutions to become pervasive, addressing the usability challenge is essential. It may be that the emerging solutions to the DNS privacy problem are not sufficiently baked or too hot off the press to expect much deployment to have taken place, or a stronger effort to evangelise the availability of new tools may be necessary.

The workshop also considered a detailed analysis of padding DNS queries and responses (padding encrypted DNS messages makes it harder to apply size-based correlation with known unencrypted messages), securing DNS Service Discovery, and a detailed analysis of the tradeoffs between the numerous authentication mechanisms for DNS privacy enabling recursive resolvers.

The workshop concluded with breakouts creating content for the workshop report including conclusions, recognised challenges and research agenda recommendations. A full report of the workshop will be available in due course.

Slides from the workshop are available and audio should also be available soon. The DNS Privacy Project pages provide extensive further reading and details regarding available implementions of servers and clients supporting DNS-over-TLS.

Building Trust Improving Technical Security Open Internet Standards Technology

Usable Security Highlighted at NDSS 2017

A number of seminal papers appeared towards the end of the 20th century calling for more attention to be paid to the human in the security loop. For example, Anne Adams and Angela Sasse’s “Users are not the Enemy” and Mark Ackerman and Lorrie Cranor’s “Privacy critics: UI components to safeguard users’ privacy.” The research field of Usable Security was thereby launched, and quickly garnered interest amongst academics and in industry. Almost two decades later this field has achieved independent status with a number of conferences and workshops being dedicated to this research field. USEC is a proud member of these bespoke conferences, rubbing shoulders with SOUPS, EuroUSEC and STAST. Other international conferences, such as CHI, HICSS and IEEE S&P, have strands dedicated to usable security, demonstrating a growing recognition of this field as a serious research endeavour.

Just before NDSS 2017 this year, we’ll hold the sixth USEC workshop/mini-conference and it is starting to exhibit signs of maturity. This is the sixth USEC workshop/mini-conference and it is starting to exhibit signs of maturity. This year we received an unprecedented 58 submissions, a gratifying confirmation of the growing number of researchers working in the field, all doing great research and wanting to share it with others. It also means that USEC, as a workshop, is firmly on the map, being deemed a worthy venue for publishing and presenting valuable research results.

Unlike the situation in the 20th century, we no longer have to convince anyone of the importance of the human in the security loop. Hardly a day goes by that the newspapers do not carry a report about a successful hack, and many of these are facilitated by the humans who own and use the computers that have been hacked, either deliberately or inadvertently. Much of the research in this area works to help users to understand security and privacy concepts, to help them to gain the skills to repel the efforts of myriad hackers and to provide end users with tools to bolster their personal and organisational security more effectively.

The papers we accepted for USEC 2017 fall into three rough groups. The first is authentication. Any conference of this kind receives a number of authentication-related papers. This is not unusual since this is the point where end-users and security are guaranteed to meet. This is the space that causes both security professionals and end-users a great deal of pain. The second group of papers addresses perceptions – contemplating how people perceive security and privacy aspects of systems. The final group addresses new topics in the research area – perhaps we can refer to these as stretch papers.

We’re looking forward to an excellent workshop, with much to discuss, think about and explore in future research. Above all, this is a great opportunity to make new friends, catch up with old ones and enjoy the wonderful San Diego weather.

The USEC workshop depends on the highly-valued contributions of our sterling Programme Committee, who do the reviewing without remuneration. We extend our heartfelt thanks to them. We also thank our Steering Committee: Angela Sasse, Jean Camp, Jim Blythe, Matthew Smith and Andrew Adams, for their guidance and assistance.

Building Trust Improving Technical Security Open Internet Standards Privacy Technology

NDSS 2017 is Coming into Focus

The Network and Distributed System Security Symposium (NDSS 2017) is just around the corner (26 February – 1 March), and details of the program are quickly coming into focus. The full slate of activities includes two keynotes, two workshops, and a full program of excellent peer-reviewed academic research papers.

The Monday keynote speaker, J. Alex Halderman, is a Professor of Computer Science and Engineering at the University of Michigan and Director of Michigan’s Center for Computer Security and Society. In his keynote, “Recount 2016: A Security Audit of the Presidential Election”, he will be talking about electronic voting and his recent experience with recounts from the 2016 presidential election. He will explain how the recounts took place, what was learned, and what needs to change in the future. He will highlight the risks and opportunities associated with computerized voting.

The Wednesday keynote will feature Trent Adams, the Director of Information Security for PayPal, leading the Ecosystem Security team. In his keynote, “Securing the Ecosystem – Collaborating Inside and Out”, he will be talking about all the various approaches that PayPal takes to ensure the security of their systems and the information that those systems contain. He will highlight external collaborations with various organizations to help define standards and best operating procedures for security. This keynote will highlight PayPal’s Ecosystem Security approach including some success stories and next steps.

The main program of NDSS 2017 contains 68 high quality peer-reviewed research papers organized into 15 sessions spread over three days. A poster session will feature roughly 20 posters highlighting new and emerging work in its early stages.

Finally, NDSS 2017 will feature two workshops on the Sunday before the main symposium begins. The first workshop, Useable Security (USEC), is another in a series of Usable Security workshops held in conjunction with NDSS. This year’s USEC Mini-Conference will feature two keynotes, 11 peer-reviewed papers, and a panel discussion.

The second workshop, DNS Privacy, will bring together a mixture of research from a number of sources for a focused working session on the topic. The final programme is still under development, but this workshop promises to be an interactive working session involving a number of key researches, developers, and implementers in this space.

All in all, I am excited by the development of the program, and I hope to see many of you in San Diego in a few weeks! You can also follow along via our social media channels – Twitter, Facebook, and LinkedIn, or search/post using #NDSS17.

Building Trust Domain Name System Security Extensions (DNSSEC) Human Rights Improving Technical Security Open Internet Standards Technology

NDSS 2017 Deadlines Approaching

NDSS 2017 is almost here! The Network and Distributed System Security Symposium (NDSS) symposium fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. NDSS 2017 takes place February 26 through March 1, 2017, at Catamaran Resort Hotel & Spa in San Diego, California.

Here are some upcoming deadlines you should know about:

The List of Accepted Papers is online now, with a full schedule coming soon. There are also two workshops happening, one on DNS Privacy and the other on Useable Security. 

NDSS brings together leaders in cybersecurity — university researchers and educators, chief technology and privacy officers, security analysts and system administrators, and operations and security managers – to encourage and enable the Internet community to apply, deploy, and advance the state of available network and distributed system security technology. In order to have the greatest impact, peer reviewed papers are freely available and reproducible (for noncommercial purposes).

I hope you will be able to join us in San Diego next month for what promises to be an exciting and educational event!


Building Trust Improving Technical Security Technology

NDSS 2017: Call for Papers Opens for Internet Security Researchers and Practitioners

Want to help enable the Internet community to apply, deploy, and advance the state of available security technologies? Interested in the practical aspects of network and distributed system security? The Call for Papers is now open for Network and Distributed System Security (NDSS) Symposium 2017!

Important Dates

  • 12 August 2016:  Paper titles and abstracts due
  • 16 August 2016: Full submissions for technical papers and panels due
  • 20 September 2016 (tentative): Early notification for submissions rejected in the first round
  • 22 October 2016 (tentative): Final notification of acceptance

All submissions will be reviewed by the Program Committee and accepted submissions will be published by the Internet Society in the Proceedings of NDSS 2017. The Proceedings will be made freely accessible from the Internet Society webpages.

NDSS 2017 will be held February 26 through March 1, 2017, at Catamaran Resort Hotel & Spa in San Diego, California. NDSS fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation.

Read the full Call for Papers for more information on how to proceed.