Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications

After treating the notification of affected parties as mere side-notes in research, our community has recently put more focus on how vulnerability disclosure can be conducted at scale. The first works in this area have shown that while notifications are helpful to a significant fraction of operators, the vast majority of systems remain unpatched. In this paper, we build on these previous works, aiming to understand why the effects are not more significant. To that end, we report on a notification experiment targeting more than 24,000 domains, which allowed us to analyze what technical and human aspects are roadblocks to a successful campaign. As part of this experiment, we explored potential alternative notification channels beyond email, including social media and phone. In addition, we conducted an anonymous survey with the notified operators, investigating their perspectives on our notifications. We show the pitfalls of email-based communications, such as the impact of anti-spam filters, the lack of trust by recipients, and hesitations to fix vulnerabilities despite awareness. However, our exploration of alternative communication channels did not suggest a more promising medium. Seeing these results, we pinpoint future directions in improving security notifications.

[1]  Dave Crocker,et al.  Mailbox Names for Common Services, Roles and Functions , 1997, RFC.

[2]  Sean Turner,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification , 2019, RFC.

[3]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[4]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[5]  Michael Backes,et al.  Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification , 2016, USENIX Security Symposium.

[6]  Christopher Krügel,et al.  Fear the EAR: discovering and mitigating execution after redirect vulnerabilities , 2011, CCS '11.

[7]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[8]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[9]  Peter W. Resnick,et al.  Internet Message Format , 2001, RFC.

[10]  Tyler Moore,et al.  Understanding the Role of Sender Reputation in Abuse Reporting and Cleanup , 2015, WEIS.

[11]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[12]  Mark Allman,et al.  Don't Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy , 2016, NDSS.

[13]  Vern Paxson,et al.  Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension , 2016, WWW.

[14]  S. Holm A Simple Sequentially Rejective Multiple Test Procedure , 1979 .

[15]  Stefan Savage,et al.  You've Got Vulnerability: Exploring Effective Vulnerability Notifications , 2016, USENIX Security Symposium.

[16]  Engin Kirda,et al.  Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications , 2011, NDSS.

[17]  Ning Kong,et al.  HTTP Usage in the Registration Data Access Protocol (RDAP) , 2015, RFC.

[18]  M. V. Eeten,et al.  Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning , 2017 .

[19]  Juan Caballero,et al.  Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting , 2013, DIMVA.

[20]  Sebastian Lekies,et al.  CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy , 2016, CCS.

[21]  Aurélien Francillon,et al.  The role of web hosting providers in detecting compromised websites , 2013, WWW '13.

[22]  Tyler Moore,et al.  Do Malware Reports Expedite Cleanup? An Experimental Study , 2012, CSET.

[23]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.