Matthias Wachs scite author profile

Matthias Wachs

5Publications

91Citation Statements Received

78Citation Statements Given

How they've been cited

119

How they cite others

Affiliations

Chemnitz University of Technology, Technical University of Munich, Karlsruhe Institute of Technology

Publications

Order By: Most citations

TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication

Holz

Amann

Mehani

et al. 2016

View full text Add to dashboard Cite

Email and chat still constitute the majority of electronic communication on the Internet. The standardisation and acceptance of protocols such as SMTP, IMAP, POP3, XMPP, and IRC has allowed to deploy servers for email and chat in a decentralised and interoperable fashion. These protocols can be secured by providing encryption with TLS-directly or via the STARTTLS extension. X.509 PKIs and ad hoc methods can be leveraged to authenticate communication peers. However, secure configuration is not straight-forward and many combinations of encryption and authentication mechanisms lead to insecure deployments and potentially compromise of data in transit. In this paper, we present the largest study to date that investigates the security of our email and chat infrastructures. We used active Internet-wide scans to determine the amount of secure service deployments, and employed passive monitoring to investigate to which degree user agents actually choose secure mechanisms for their communication. We addressed both client-to-server interactions as well as server-to-server forwarding. Apart from the authentication and encryption mechanisms that the investigated protocols offer on the transport layer, we also investigated the methods for client authentication in use on the application layer. Our findings shed light on an insofar unexplored area of the Internet. Our results, in a nutshell, are a mix of both positive and negative findings. While large providers offer good security for their users, most of our communication is poorly secured in transit, with weaknesses in the cryptographic setup and especially in the choice of authentication mechanisms. We present a list of actionable changes to improve the situation.

show abstract

A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System

Wachs

Schanzenbach

Grothoff

2014

View full text Add to dashboard Cite

On the Feasibility of a Censorship Resistant Decentralized Name System

Wachs

Schanzenbach

Grothoff

2014

View full text Add to dashboard Cite

Abstract. A central problem on the Internet today is that key infrastructure for security is concentrated in a few places. This is particularly true in the areas of naming and public key infrastructure. Secret services and other government organizations can use this fact to block access to information or monitor communications. One of the most popular and easy to perform techniques is to make information on the Web inaccessible by censoring or manipulating the Domain Name System (DNS). With the introduction of DNSSEC, the DNS is furthermore posed to become an alternative PKI to the failing X.509 CA system, further cementing the power of those in charge of operating DNS. This paper maps the design space and gives design requirements for censorship resistant name systems. We survey the existing range of ideas for the realization of such a system and discuss the challenges these systems have to overcome in practice. Finally, we present the results from a survey on browser usage, which supports the idea that delegation should be a key ingredient in any censorship resistant name system.

show abstract

Achieving Reproducible Network Environments with INSALATA

Herold

Wachs

Dorfhuber

et al. 2017

View full text Add to dashboard Cite

Abstract. Analyzing network environments for security flaws and assessing new service and infrastructure configurations in general are dangerous and error-prone when done in operational networks. Therefore, cloning such networks into a dedicated test environment is beneficial for comprehensive testing and analysis without impacting the operational network. To automate this reproduction of a network environment in a physical or virtualized testbed, several key features are required: (a) a suitable network model to describe network environments, (b) an automated acquisition process to instantiate this model for the respective network environment, and (c) an automated setup process to deploy the instance to the testbed.With this work, we present INSALATA, an automated and extensible framework to reproduce physical or virtualized network environments in network testbeds. INSALATA employs a modular approach for data acquisition and deployment, resolves interdependencies in the setup process, and supports just-in-time reproduction of network environments. INSALATA is open source and available on Github. To highlight its applicability, we present a real world case study utilizing INSALATA.

show abstract

Push away your privacy: Precise user tracking based on TLS client certificate authentication

Wachs

Scheitle

Carle

2017

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Matthias Wachs

TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication

A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System

On the Feasibility of a Censorship Resistant Decentralized Name System

Achieving Reproducible Network Environments with INSALATA

Push away your privacy: Precise user tracking based on TLS client certificate authentication

Contact Info

Product

Resources

About