Category Archives: web security

Investigation of Phishing Avoidance

phishing_studyThis paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Our mobile game design aimed to enhance the users’ avoidance behaviour through motivation to protect themselves against phishing threats. Continue reading

Final Report on Internet Voting

final reportAfter about 18 months of work, the Internet Voting Panel I served on has released its final report on February 12 and
submitted it to the Legislative Assembly of British Columbia. The report contains the panel’s conclusions and recommendations, and summarizes the benefits and challenges of implementing Internet voting for provincial or local government elections in B.C. On October 23, 2013 the panel published a Preliminary Report for a six-week public comment period, ending on December 4, 2013.  The panel reviewed the commentary, including additional submissions from experts, academics and vendors in the Internet voting community. The report can be found on the panel’s web site.


San-Tsai Sun defends his Ph.D. dissertation on Web Single Sign-On Systems and graduates

San-TsaiMy Ph.D. student San-Tsai Sun has successfully defended and submitted the final version of his thesis “Towards Improving the Usability and Security of Web Single Sign-On Systems.” He’s moving back to industry, where he will be applying his expertise in web security to real-world systems. Congratulations to San-Tsai on very successful completion of the Ph.D. program, with many quality publications.

What research do I really do?

My department has made a short introductory video-clip about my research group LERSSE. For those who won’t read papers but still want to get an idea about what kind of research my graduate students do, just sit back and enjoy this 3-minute long summary.

Project Presentations at Graduate Course in Security


Students in my graduate course on computer security are presenting their term papers on April 10. The topics vary from evaluation of Sybil detection mechanisms to detection of DDoS attacks on grid clusters. This mini-conference is open to public.

The Impact of Password Meters on Password Selection

Password meters tell users whether their passwords are “weak” or “strong.” In this paper, we report on a laboratory experiment to examine whether these meters influenced users’ password selections when they were forced to change their real passwords, and when they were not told that their passwords were the subject of a study. We observed that the presence of meters yielded significantly stronger passwords. We then performed a followup field experiment to test a different scenario: creating a password for an unimportant account. In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts. We conclude that meters result in stronger passwords when users are forced to change existing passwords on “important” accounts and that individual meter design decisions likely have a marginal impact.

More details are in the paper, which will be presented at CHI ’13 held April 27-May 3.

Independent Panel on Internet Voting in British Columbia

I’ve been invited to serve on the independent panel on Internet voting appointed by Elections B.C.. Other members of the panel are Keith Archer (chair), Chief electoral officer; Lee-Ann Crane, chief administrative officer for the East Kootenay Regional District; Valerie King, professor in the department of computer science at the University of Victoria; and George Morfitt, former auditor general of B.C.

Additional information is available in the corresponding press release.

The Devil is in (Implementation) Details

It’s hard to get a security protocol right. It seems even harder to get its implementations right, even more so when millions use it on daily basis. LERSSE’s Sun-Tsai will present at ACM CCS this October several critical vulnerabilities he has uncovered in implementation of OAuth 2.0, used by Facebook, Microsoft, Google, and many other identity providers and relying parties. These vulnerabilities allow an attacker to gain unauthorized access to the victim user’s profile and social graph, and impersonate the victim on the RP website. Continue reading

Systematically breaking and fixing OpenID security

Do you use OpenID? I bet you do, even if you don’t know this. OpenID 2.0 is a user-centric Web single sign-on protocol with over one billion OpenID-enabled user accounts, and tens of thousands of supporting websites. Well, the security of this protocol is clearly critical! Yet, its security analysis has only been done so far  in a partial and ad-hoc manner. LERSSE Ph.D. candidate San-Tsai Sun performed a systematic analysis of the protocol using both formal model checking and an empirical evaluation of 132 popular websites that support OpenID. Continue reading

Towards Usable Web Single Sign-On

Steps for SSO user experience with the proposed IDeB browser

OpenID is an open and promising Web single sign-on (SSO) solution. The research led by my Ph.D. student San-Tsai Sun investigates the challenges and concerns web users face when using OpenID for authentication, and identifies what changes in the login flow could improve the users’ experience and adoption incentives. Continue reading