Assessing the Privacy Benefits of Domain Name Encryption

As Internet users have become more savvy about the potential for their Internet communication to be observed, the use of network traffic encryption technologies (e.g., HTTPS/TLS) is on the rise. However, even when encryption is enabled, users leak information about the domains they visit via DNS queries and via the Server Name Indication (SNI) extension of TLS. Two recent proposals to ameliorate this issue are DNS over HTTPS/TLS (DoH/DoT) and Encrypted SNI (ESNI). In this paper we aim to assess the privacy benefits of these proposals by considering the relationship between hostnames and IP addresses, the latter of which are still exposed. We perform DNS queries from nine vantage points around the globe to characterize this relationship. We quantify the privacy gain offered by ESNI for different hosting and CDN providers using two different metrics, the k-anonymity degree due to co-hosting and the dynamics of IP address changes. We find that 20% of the domains studied will not gain any privacy benefit since they have a one-to-one mapping between their hostname and IP address. On the other hand, 30% will gain a significant privacy benefit with a k value greater than 100, since these domains are co-hosted with more than 100 other domains. Domains whose visitors' privacy will meaningfully improve are far less popular, while for popular domains the benefit is not significant. Analyzing the dynamics of IP addresses of long-lived domains, we find that only 7.7% of them change their hosting IP addresses on a daily basis. We conclude by discussing potential approaches for website owners and hosting/CDN providers for maximizing the privacy benefits of ESNI.Comment: In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20), October 5-9, 2020, Taipei, Taiwa

Measuring and Analyzing Typosquatting Toward Fighting Abusive Domain Registrations

Inexpensive and simple domain name registrations foster a wide variety of abuse. One of the most common abusive registration practices is typosquatting, where typosquatters register misspelled variants of existing domain names to profit from users' typing mistakes. Making the matter worse, typosquatters frequently rely on advertisement networks to monetize user traffic, often exposing users to malicious and illicit content. Leveraging multifaceted large-scale measurement infrastructures, we demonstrate in this dissertation that typosquatting is a widespread issue which plays an important role in concert with other illicit traffic sources in exposing users to malice. Based on our measurement studies, we show how we can develop detection tools and leverage registration policies to reduce typosquatting and other abusive domain registrations. Supporting our assertions about the extent and abuse of typosquatting, we design and implement three measurement infrastructures that lead to novel findings about typosquatting and related malicious domain registrations. First, to understand the extent of typosquatting, we study typosquatters who target less popular domain names. We find millions of typosquatting domains missed by previous research. Building on our findings, we create a classifier which can decide if a potentially typosquatting domain name is truly typosquatting or if it is just accidentally close to a target domain. Second, we study how typosquatters send users to advertisement networks for profit. To gain a deeper understanding of the advertisement infrastructure redirecting users to malicious landing pages, we build a system that can emulate different types of users, can understand cloaking and blocking behavior and can reconstruct redirection chains. We find that typosquatters often share monetization strategies with ad-based URL shortening services and illicit movie streaming sites by redirecting users to the same malevolent landing pages. We also observe that miscreants differentiate users based on the device used and that using too few IP addresses can significantly decrease the number of abusive pages discovered. We develop a classifier, not specific to typosquatting and based only on features related to the redirection chain traversed by users, that can be leveraged to show warnings to users when a redirection is likely dangerous. Furthermore, as DNS abuse is not specific to the HTTP protocol, we study how users' private emails are exposed to typosquatters. We find that 1,211 typosquatting domains receive in the vicinity of 800,000 emails per year and that millions of registered typosquatting domains have MX records pointing to only a handful of mail servers potentially enabling the collection of emails on a larger scale. Finally, we develop a policy analysis framework based on the domain registration ecosystem finding that domain registration policies could have an essential role in complementing current detection based approaches to fight typosquatting and malicious domain registrations

Measuring and Analyzing Typosquatting Toward Fighting Abusive Domain Registrations

Inexpensive and simple domain name registrations foster a wide variety of abuse. One of the most common abusive registration practices is typosquatting, where typosquatters register misspelled variants of existing domain names to profit from users' typing mistakes. Making the matter worse, typosquatters frequently rely on advertisement networks to monetize user traffic, often exposing users to malicious and illicit content. Leveraging multifaceted large-scale measurement infrastructures, we demonstrate in this dissertation that typosquatting is a widespread issue which plays an important role in concert with other illicit traffic sources in exposing users to malice. Based on our measurement studies, we show how we can develop detection tools and leverage registration policies to reduce typosquatting and other abusive domain registrations.Supporting our assertions about the extent and abuse of typosquatting, we design and implement three measurement infrastructures that lead to novel findings about typosquatting and related malicious domain registrations. First, to understand the extent of typosquatting, we study typosquatters who target less popular domain names. We find millions of typosquatting domains missed by previous research. Building on our findings, we create a classifier which can decide if a potentially typosquatting domain name is truly typosquatting or if it is just accidentally close to a target domain. Second, we study how typosquatters send users to advertisement networks for profit. To gain a deeper understanding of the advertisement infrastructure redirecting users to malicious landing pages, we build a system that can emulate different types of users, can understand cloaking and blocking behavior and can reconstruct redirection chains. We find that typosquatters often share monetization strategies with ad-based URL shortening services and illicit movie streaming sites by redirecting users to the same malevolent landing pages. We also observe that miscreants differentiate users based on the device used and that using too few IP addresses can significantly decrease the number of abusive pages discovered. We develop a classifier, not specific to typosquatting and based only on features related to the redirection chain traversed by users, that can be leveraged to show warnings to users when a redirection is likely dangerous. Furthermore, as DNS abuse is not specific to the HTTP protocol, we study how users' private emails are exposed to typosquatters. We find that 1,211 typosquatting domains receive in the vicinity of 800,000 emails per year and that millions of registered typosquatting domains have MX records pointing to only a handful of mail servers potentially enabling the collection of emails on a larger scale.Finally, we develop a policy analysis framework based on the domain registration ecosystem finding that domain registration policies could have an essential role in complementing current detection based approaches to fight typosquatting and malicious domain registrations.</div