Hello! I'm a software engineer and manager on Chrome's network security team. I work on supporting the HTTPS ecosystem (encouraging HTTPS adoption, Certificate Transparency, HSTS, "lookalike" warnings, revocation, and other WebPKI stuff). I also consult with product teams on usable security and privacy, and serve with Chrome's Vulnerability Rewards Program.
When not at work, I like to spend time with my spouse and our dog, a white Boxer with boundless energy for games of tug.
You can reach out to me via email (web@bogus DOTjoedeblasio.com).
Before working on Chrome, I received a PhD in July 2018 in the sysnet and cryptosec groups at UC San Diego. My work focused on network security/privacy measurement with a particular emphasis on fraud and abuse. I was advised by Alex Snoeren, with considerable help from Geoff Voelker and Stefan Savage. Learn more about our group's work at the Center for Evidence-based Security Research (CESR).
Before that, I was at the inimitable Harvey Mudd College.
Certificate authorities play a crucial role in the web ecosystem by issuing TLS certificates. These authorities may misissue certificates or suffer misuse attacks, however, which has given rise to the Certificate Transparency (CT) project. The goal of CT is to store all issued certificates in public logs, which can then be checked for the presence of potentially misissued certificates. Thus, the requirement that a given certificate is indeed in one (or several) of these logs lies at the core of CT. In its current deployment, however, most individual clients do not check that the certificates they see are in logs, as requesting a proof of inclusion directly reveals the certificate and thus creates the clear potential for a violation of that client’s privacy. In this paper, we explore the techniques that have been proposed for privacy-preserving auditing of certificate inclusion, focusing on their effectiveness, efficiency, and suitability in a near-term deployment. In doing so, we also explore the parallels with related problems involving browser clients. Guided by a set of constraints that we develop, we ultimately observe several key limitations in many proposals, ranging from their privacy provisions to the fact that they focus on the interaction between a client and a log but leave open the question of how a client could privately report any certificates that are missing.
Certificate Transparency is a maturing system to provide visibility into the certificates that are issued as part of the web’s public key infrastructure. In this article, we survey the history of Certificate Transparency deployment so far and discuss ongoing engineering and research challenges.
While phishing detection, risk analysis, and two-factor authentication help stem large-scale hijackings, targeted attacks remain a potent threat not fully addressed by current account protections. "Hack for hire" services make targeted attacks against anyone available for a few hundred dollars. Posing as buyers, we hired several of these services to attack synthetic (though realistic) identities we controlled. We categorize their methods and the state of the market in general.
Though users increasingly rely on commercial VPN services to preserve online privacy, circumvent censorship, and access geo-filtered content, they lack a strong method for evaluating the privacy and security claims made by VPN providers. We designed an active measurement system to test many of security and privacy properties, analyzed 62 commercial providers and find deceptive practices in at least 10\% of the providers studied.
* Co-authors Khan and DeBlasio contributed equally to the work.
Tripwire is a method for detecting website compromises as an unprivileged third-party using externally-visible side effects. Our proof-of-concept implementation exposed previously-unknown compromises impacting more than 100 million users.
This work explored search advertiser fraud on Microsoft's Bing search engine, characterizing the scale of fraud, the targeting and bidding behavior of fraudsters, and how those fraudsters impact legitimate advertisers in the ecosystem.