Privacy-enabling social networking over untrusted networks

Anderson, Jonathan; Díaz, Claudia; Bonneau, Joseph; Stajano, Frank

doi:10.1145/1592665.1592667

Cited by 59 publications

(35 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Vulnerabilities and implementation problems have been reported in the SDKs of OSNs [115], and security APIs have been proposed for OSNs [116]. Anderson et al focus on privacy in OSNs in general [117], Tarameshloo et al propose specific privacy policies for information sharing in OSNs [118], which is similar to our work on permission agreements (app-rights), and Ko et al also do research on this subject by studying the flows of private data between third-party applications and sites they connect to [119]. In a broader sense, Birrell and Schneider [64] have compared both existing and deprecated SSO solutions from a privacy perspective, similarly to our early work on authentication solutions.…”

Section: Factors In Third-party Authenticationmentioning

confidence: 99%

Web Authentication using Third-Parties in Untrusted Environments

Vapen

2016

Linköping Studies in Science and Technology. Dissertations

View full text Add to dashboard Cite

With the increasing personalization of the Web, many websites allow users to create their own personal accounts. This has resulted in Web users often having many accounts on different websites, to which they need to authenticate in order to gain access. Unfortunately, there are several security problems connected to the use and re-use of passwords, the most prevalent authentication method currently in use, including eavesdropping and replay attacks.Several alternative methods have been proposed to address these shortcomings, including the use of hardware authentication devices. However, these more secure authentication methods are often not adapted for mobile Web users who use different devices in different places and in untrusted environments, such as public Wi-Fi networks, to access their accounts.We have designed a method for comparing, evaluating and designing authentication solutions suitable for mobile users and untrusted environments. Our method leverages the fact that mobile users often bring their own cell phones, and also takes into account different levels of security adapted for different services on the Web.Another important trend in the authentication landscape is that an increasing number of websites use third-party authentication. This is a solution where users have an account on a single system, the identity provider, and this one account can then be used with multiple other websites. In addition to requiring fewer passwords, these services can also in some cases implement authentication with higher security than passwords can provide.How websites select their third-party identity providers has privacy and security implications for end users. To better understand the security and privacy risks with these services, we present a data collection methodology that we have used to identify and capture third-party authentication usage on the Web. We have also characterized the third-party authentication landscape based on our collected data, outlining which types of third-parties are used by which types of sites, and how usage differs across the world. Using a combination of large-scale crawling, longitudinal manual testing, and in-depth login tests, our characterization and analysis has also allowed us to discover interesting structural properties of the landscape, differences in the cross-site relationships, and how the use of third-party authentication is changing over time.Finally, we have also outlined what information is shared between websites in third-party authentication, defined risk classes based on shared data, and profiled privacy leakage risks associated with websites and their identity providers sharing data with each other. Our findings show how websites can strengthen the privacy of their users based on how these websites select and combine their third-parties and the data they allow to be shared. Populärvetenskaplig sammanfattningAllt fler människor tillbringar stora delar av sina liv på Internet för att arbeta, uträtta myndighetsärenden, sköta sin ekonomi och umgås med vänner...

show abstract

Section: Factors In Third-party Authenticationmentioning

confidence: 99%

Web Authentication using Third-Parties in Untrusted Environments

Vapen

2016

Linköping Studies in Science and Technology. Dissertations

View full text Add to dashboard Cite

show abstract

“…Other solutions require more radical changes to the system architecture while still relying on a centralized server for storing the data and guaranteeing its availability. In the proposal by Anderson et al [2] the central server is reduced to a data store to which users upload blocks of encrypted data containing their posts, pictures, friend lists, etc. As in the two previous examples, only authorized friends (who have the necessary decryption keys) are able to access the data.…”

Section: A Privacy As Protection From Surveillance and Interferencementioning

confidence: 99%

Two tales of privacy in online social networks

Gürses

Díaz

2013

IEEE Secur. Privacy

Self Cite

View full text Add to dashboard Cite

Abstract-Privacy is one of the friction points that emerges when communications get mediated in Online Social Networks (OSNs). Different communities of computer science researchers have framed the 'OSN privacy problem' as one of surveillance, institutional or social privacy. In tackling these problems they have also treated them as if they were independent. We argue that the different privacy problems are entangled and that research on privacy in OSNs would benefit from a more holistic approach. In this article, we first provide an introduction to the surveillance and social privacy perspectives emphasizing the narratives that inform them, as well as their assumptions, goals and methods. We then juxtapose the differences between these two approaches in order to understand their complementarity, and to identify potential integration challenges as well as research questions that so far have been left unanswered.

show abstract

“…A similar approach is described in [29], where authors propose a client-server model with untrusted server as a privacy-aware OSN architecture. In this work, the server is used as a public storage without any access control policy (it offers only simple put and get primitives).…”

Section: Privacy Solutions For Centralized Osnsmentioning

confidence: 99%