Tag Archives: Oversight

Here it is: my book Securing Private Communications

After the publication of my Ph.D. thesis in November 2015, at long last my book ‘Securing Private Communications’ is available in stores near you.


You can order the book here, have a look at the marketing flyer here, download the full academic version for free here and read the odd spiffy testimonial below.  Continue reading Here it is: my book Securing Private Communications

BREAKING :) abstract and download of my Ph.D. thesis ‘Securing Private Communications’ [open access]

The academic version of my thesis — titled ‘Securing Private Communications’ — is available online. I already committed it to the web in my previous blogpost on my public Ph.D. defense on 25 November 2015 (open to the public). But a friend of mine told me to once again post my abstract and download link for my thesis separately and make that clear in the title of the post. And make it BREAKING news. Ha! Here goes.  Continue reading BREAKING :) abstract and download of my Ph.D. thesis ‘Securing Private Communications’ [open access]

Join me for my public Ph.D. defense ceremony on 25/11 – 11am

My four-year research project ‘Securing Private Communications’ is coming to an end. A grande finale of sorts is my public defense ceremony on 25 November. The ceremony is open to the general public, and the venue is humongous, so you’re all very welcome to join me. Continue reading Join me for my public Ph.D. defense ceremony on 25/11 – 11am

Derde Column in Financieele Dagblad: Deltaplan Online Privacy en Beveiliging

Vorige week stond mijn derde column in het Financieele Dagblad. Met het stuk wil ik waarschuwen voor te hoge verwachtingen op snelle oplossingen na de Snowden-onthullingen. Het debat over de vraag die senator Duthler onlangs stelde in de Eerste Kamer — ‘wat zijn we ermee opgeschoten?’ — zal eind deze maand namelijk weer oplaaien. Dan draait de nu al torenhoge favoriet voor een documentaire-Oscar Citizenfour in de Nederlandse bioscopen, en volgen we met Laura Poitras Snowden anderhalf jaar lang op de voet. Schijnt briljant te zijn.

Mijn punt is, dat duurzaam herstel van privacy en beveiliging na zo’n grote ramp een kwestie van jaren is, niet van quick fixes. Net als met de Deltawerken. Ik vond het belangrijk om dat wat bredere aandacht te geven, anders is frustratie en gelatenheid rondom het verval van privacy en beveiliging een veel dieper, en misschien onherstelbaar gevolg. Gelukkig zijn er een aantal langzame maar hoopvolle ontwikkelingen in diezelfde Senaat, de Europese gerechtshoven en markten te melden, die nauwelijks door de media worden opgepikt. Continue reading Derde Column in Financieele Dagblad: Deltaplan Online Privacy en Beveiliging

New Paper ‘Security Collapse in the HTTPS Market’ Downloaded 30.000 Times in 3 Weeks

With my supervisor Nico van Eijk and co-authors Hadi Asghari and Michel van Eeten at Delft University of Technology, I’ve published a centerpiece of my doctoral project in the Communications of the ACM: ‘Security Collapse in the HTTPS Market’ [link to pdf].

In three weeks, the new article has been downloaded over 30.000 times. I didn’t quite believe that number, but the folks at the ACM have actually confirmed it. Blows my mind, really. Has been covered in the media and on Reddit and Slashdot, wich probably explains the download count. Visual artist Willow Brugh made a mesmerizing vizthink animation as a teaser to the article:

A.M. Arnbak, H. Asghari, M. van Eeten, N.A.N.M. van EijkSecurity Collapse in the HTTPS Market, Communications of the ACM, 2014-10, vol. 57, p. 47-55. Also published in: ACM Queue – Security, 2014-8, vol. 12.

From the abstract:

HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents-such as DigiNotar’s breach, Apple’s #gotofail, and OpenSSL’s Heartbleed-have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations-notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale-have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.

To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outline the systemic vulnerabilities of HTTPS, map the thriving market for certificates, and analyze the suggested regulatory and technological solutions on both sides of the Atlantic. Our findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become “too big to fail.” Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.