Presentation is loading. Please wait.

Presentation is loading. Please wait.

Private Facebook Chat Chris Robison, Scott Ruoti, Tim van der Horst, Kent Seamons Internet Security Research Lab Computer Science Department Brigham Young.

Published byCamron Watts Modified over 6 years ago

Similar presentations

Presentation on theme: "Private Facebook Chat Chris Robison, Scott Ruoti, Tim van der Horst, Kent Seamons Internet Security Research Lab Computer Science Department Brigham Young."— Presentation transcript:

1 Private Facebook Chat Chris Robison, Scott Ruoti, Tim van der Horst, Kent Seamons Internet Security Research Lab Computer Science Department Brigham Young University 25 minute presentation – (20-22) leaving 3-5 minutes for questions

2 Motivation Instant messaging is growing*
1 billion IM users 200 million new users each year 47 million instant messages per day 53 messages per user per day Instant messaging is moving to social networks Facebook Chat has the largest user base Facebook Chat is not secure Transmission of messages over secure channel not guaranteed Even more direct introduction. Prepare it. “The motivation for this work is…” Example of stand-alone clients to social networks *Source: statistics report ,

3 Research Outline What are users attitudes towards instant messaging?
Are they aware of security and privacy issues? Private Facebook Chat (PFC) Prototype for adding end-to-end encryption to Facebook Chat Designed for usability and security PFC usability study Test the ability of users to correctly begin using PFC Watch casual language. Describe the grass roots adoption of PFC. See if they could use it easily and correctly. Current users, without training.

4 User Survey Preliminary survey to guide research 65 respondents
Distributed via word of mouth, and social networks 18 questions Usage Trust Privacy

5 Usage Patterns Systems used Frequency Google Talk (67%)
Facebook Chat (50%) Skype (41%) Frequency Half used it daily Another quarter used it at least once a week. Users could select more than one answer

6 User Trust Group 1: Felt safe using IM
Group 2: Never thought about security in IM Group 3: Felt unsafe using IM All sent sensitive information. 15% of Group 1 even sent highly sensitive information.

7 User Trust Question: Are you more likely to send sensitive information to trusted friend or family member? Question: Would you reply with sensitive information to trusted friend or family member? While we might think we won’t send sensitive information, when it comes down to it we will. Nearly ¾ willing to send sensitive information to family. About ½ somewhat willing to reply to a request for sensitive information.

8 Question: I’m confident chat conversations are private.
User Privacy Question: I’m confident chat conversations are private. ¼ think chat is private, while another ¼ don’t know.

9 Private Facebook Chat Adding end-to-end encryption to Facebook Chat
Protection from eavesdroppers Protection from honest-but-curious Facebook Designed for ease of use Continues to make use of existing interface Layers on security Grass roots adoption model No participation by Facebook required Easy, fast installation

10 Threat Model Alice Network Facebook Bob HTTPS not on by default
May be used on one side and not the other Network Facebook Bob

11 Security Overlays Adds end-to-end encryption to Facebook Chat
Window where secure interaction occurs Positioned directly over original interface Functionally equivalent, but visually distinctive Secure content not accessible to Facebook Facebook will show encrypted content. We show plaintext.

12 User Interaction Alice’s Screen Bob’s Screen
This series of slides shows screenshots of the interface. Use it to tell the story of how Alice chats securely with Bob for the first time.

13 User Interaction

14 User Interaction Alice’s Screen Bob’s Screen
This series of slides shows screenshots of the interface. Use it to tell the story of how Alice chats securely with Bob for the first time.

15 Implementation Security Key management Bookmarklets AES
Confidentiality, Integrity Could add Forward secrecy Key management Traditionally difficult for users Used key escrow Identity based Symmetric Bookmarklets Easy to setup and use Requires no elevated permissions

16 Security Analysis Good enough security Passive attacks Key compromise
Focused on usability Usually a tradeoff between security and usability Passive attacks Defeated by end-to-end encryption Key compromise Separation of duties Short key periods Impersonation Facebook account compromised Could use stronger authentication Social Engineering Convincing users to install malicious bookmarklets

17 Usability Study IRB-approved study 17 Facebook Chat users 5 tasks
8 from BYU 9 from a local software company 5 tasks Installation Sending and receiving secure messages Ensuring the system was in use Participants had no advance notice that the study would focus on security

18 Lessons Learned Bookmarklets are usable
15/17 (88%) were able to chat securely 9/17 (53%) were wary of adding Facebook application Easy to tell when chat was secure 3/17 (18%) users accidentally sent sensitive information in the clear Occurred because they forgot to first click the bookmarklet Users found it desirable 13/17 (76%) said they would use it with friends/family if the system were available. Be specific about numbers. Be clear of limitation of bookmarklet vs. plug in

19 Conclusions User survey PFC Usability study
False sense of security permeates IM Users already send sensitive information over IM PFC Adds end-to-end security to Facebook Security overlays layer on security. Usability study Nearly all users successfully used Bookmarklets easy to use Key management has always been difficult

20 Future Work Ways to potentially increase security Webmail
Needs to preserve usability Authentication Prevent phishing and social engineering Conditioned-safe ceremonies Bookmarklet verification Formal security analysis Webmail Other dominant form of internet-based communication Conducted preliminary study with good results Further usability studies Long term study Are bookmarklets better or worse than plug-ins? Trust of initial message Spear phishing problem turned on its head Personalized greeting to motivate receiver to install the bookmarklet Conditioned-safe ceremonies and a user study of an application to web authentication C Karlof, JD Tygar, D Wagner - Proc. NDSS, cs.berkeley.edu

21 Questions

Download ppt "Private Facebook Chat Chris Robison, Scott Ruoti, Tim van der Horst, Kent Seamons Internet Security Research Lab Computer Science Department Brigham Young."

Similar presentations

Oct 28, 2004WPES 20041 Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.

Oct 28, 2004WPES Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.
Caleb Stepanian, Cindy Rogers, Nilesh Patel

Caleb Stepanian, Cindy Rogers, Nilesh Patel
This week is anti-bullying week.

This week is anti-bullying week.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
What do I need to know?.  E-mail  Instant Messages  Social Networking.

What do I need to know?.   Instant Messages  Social Networking.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
PHISHING AND SPAM EMAIL INTRODUCTION There’s a good chance that in the past week you have received at least one email that pretends to be from your bank,

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Security+ All-In-One Edition Chapter 14 – Email and Instant Messaging Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 14 – and Instant Messaging Brian E. Brzezicki.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1

CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Social Media 101 An Overview of Social Media Basics.

Social Media 101 An Overview of Social Media Basics.
Confused Johnny WHEN AUTOMATIC ENCRYPTION LEADS TO CONFUSION AND MISTAKES Scott Ruoti, Nathan Kim, Ben Burgon, Tim van der Horst, Kent Seamons Internet.

Confused Johnny WHEN AUTOMATIC ENCRYPTION LEADS TO CONFUSION AND MISTAKES Scott Ruoti, Nathan Kim, Ben Burgon, Tim van der Horst, Kent Seamons Internet.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.

Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
What is Spam? d 0-0.49 min.

What is Spam? d min.

Similar presentations

Ads by Google