Joe DeBlasio

Like every self-respecting quasi-academic, this photo is more than 10 years old.


Hello! I'm a software engineer and manager on Chrome's network security team. I work on supporting the HTTPS ecosystem (encouraging HTTPS adoption, CT, HSTS, "lookalike" warnings, and other WebPKI stuff), as well as usable security and Chrome's Vulnerability Rewards Program.

When not at work, I like to spend time with my fiancée and our dog, a white Boxer with boundless energy for games of tug.

Prior to Google, I received a PhD in July 2018 in the sysnet and cryptosec groups at UC San Diego. My work focused on network security/privacy measurement with a particular emphasis on fraud and abuse. I was advised by Alex Snoeren, with considerable help from Geoff Voelker and Stefan Savage. Learn more about our group's work at the Center for Evidence-based Security Research (CESR).

Before that, I was at the inimitable Harvey Mudd College.

You can reach out to me via email ( or Twitter (@deblasioj)


Hack for Hire: Exploring the Emerging Market for Account Hijacking
Ariana Mirian, Joe DeBlasio, Stefan Savage, Geoffrey M. Voelker, Alex C. Snoeren, and Kurt Thomas,
The Web Conference, May 2019

While phishing detection, risk analysis, and two-factor authentication help stem large-scale hijackings, targeted attacks remain a potent threat not fully addressed by current account protections. "Hack for hire" services make targeted attacks against anyone available for a few hundred dollars. Posing as buyers, we hired several of these services to attack synthetic (though realistic) identities we controlled. We categorize their methods and the state of the market in general.

An Empirical Analysis of the Commercial VPN Ecosystem
Mohammad Taha Khan*, Joe DeBlasio*, Chris Kanich, Geoffrey M. Voelker, Alex C. Snoeren, and Narseo Vallina-Rodriguez ,
Proceedings of the ACM Internet Measurement Conference, October 2018

Though users increasingly rely on commercial VPN services to preserve online privacy, circumvent censorship, and access geo-filtered content, they lack a strong method for evaluating the privacy and security claims made by VPN providers. We designed an active measurement system to test many of security and privacy properties, analyzed 62 commercial providers and find deceptive practices in at least 10\% of the providers studied.

* Co-authors Khan and DeBlasio contributed equally to the work.

Tripwire: Inferring Internet Site Compromise (Press: Gizmodo, The Register),
Joe DeBlasio, Stefan Savage, Geoffrey M. Voelker, and Alex C. Snoeren,
Proceedings of the ACM Internet Measurement Conference, November 2017

Tripwire is a method for detecting website compromises as an unprivileged third-party using externally-visible side effects. Our proof-of-concept implementation exposed previously-unknown compromises impacting more than 100 million users.

Exploring the Dynamics of Search Advertiser Fraud,
Joe DeBlasio, Saikat Guha, Geoffrey M. Voelker, and Alex C. Snoeren,
Proceedings of the ACM Internet Measurement Conference, November 2017.

This work explored search advertiser fraud on Microsoft's Bing search engine, characterizing the scale of fraud, the targeting and bidding behavior of fraudsters, and how those fraudsters impact legitimate advertisers in the ecosystem.


David Kohlbrenner and I co-designed and taught CSE 80, covering essential Linux/UNIX command line skills for all computer scientists and software engineers. The course is highly interactive, taking place entirely at a traditional Bash command prompt.