Showing 1–2 of 2 results for author: Gerig, P

Preventing EFail Attacks with Client-Side WebAssembly: The Case of Swiss Post's IncaMail

Authors: Pascal Gerig, Jämes Ménétrey, Baptiste Lanoix, Florian Stoller, Pascal Felber, Marcelo Pasin, Valerio Schiavoni

Abstract: Traditional email encryption schemes are vulnerable to EFail attacks, which exploit the lack of message authentication by manipulating ciphertexts and exfiltrating plaintext via HTML backchannels. Swiss Post's IncaMail, a secure email service for transmitting legally binding, encrypted, and verifiable emails, counters EFail attacks using an authenticated-encryption with associated data (AEAD) encr… ▽ More Traditional email encryption schemes are vulnerable to EFail attacks, which exploit the lack of message authentication by manipulating ciphertexts and exfiltrating plaintext via HTML backchannels. Swiss Post's IncaMail, a secure email service for transmitting legally binding, encrypted, and verifiable emails, counters EFail attacks using an authenticated-encryption with associated data (AEAD) encryption scheme to ensure message privacy and authentication between servers. IncaMail relies on a trusted infrastructure backend and encrypts messages per user policy. This paper presents a revised IncaMail architecture that offloads the majority of cryptographic operations to clients, offering benefits such as reduced computational load and energy footprint, relaxed trust assumptions, and per-message encryption key policies. Our proof-of-concept prototype and benchmarks demonstrate the robustness of the proposed scheme, with client-side WebAssembly-based cryptographic operations yielding significant performance improvements (up to ~14x) over conventional JavaScript implementations. △ Less

Submitted 23 June, 2023; originally announced June 2023.

Comments: This publication incorporates results from the VEDLIoT project, which received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 957197

Journal ref: DEBS'23: Proceedings of the 17th ACM International Conference on Distributed and Event-Based Systems, Neuchâtel, Switzerland, June 2023

Phish What You Wish

Authors: Pascal Gadient, Pascal Gerig, Oscar Nierstrasz, Mohammad Ghafari

Abstract: IT professionals have no simple tool to create phishing websites and raise the awareness of users. We developed a prototype that can dynamically mimic websites by using enriched screenshots, which requires no additional programming experience and is simple to set up. The generated websites are functional and remain up-to-date. We found that 98% of the hyperlinks in mimicked websites are functional… ▽ More IT professionals have no simple tool to create phishing websites and raise the awareness of users. We developed a prototype that can dynamically mimic websites by using enriched screenshots, which requires no additional programming experience and is simple to set up. The generated websites are functional and remain up-to-date. We found that 98% of the hyperlinks in mimicked websites are functional with our tool, compared to 43% with the best competitor, and only two participants suspected phishing attempts at the time they were performing tasks with our prototype. This work intends to raise awareness for phishing attempts especially with local websites by providing an easy to use prototype to set up such phishing sites. △ Less

Submitted 5 November, 2021; originally announced November 2021.

Comments: The 21st IEEE International Conference on Software Quality, Reliability and Security (QRS 2021)