Parisa Tabriz

Parisa Tabriz

Parisa Tabriz manages Google's information security engineering team at Google, which is responsible for improving Google's product security. This team of "hired hackers" conducts security design and code reviews, builds and enhances Google technology to make secure development possible and easy, conducts security engineering training, and does vulnerability response. Parisa received her B.S. and M.S. from the University of Illinois, Urbana-Champaign and was advised by Nikita Borisov.
Authored Publications
Sort By
  • Title
  • Title, descending
  • Year
  • Year, descending
    Fixing HTTPS Misconfigurations at Scale: An Experiment with Security Notifications
    Eric Zeng
    Frank Li
    The 2019 Workshop on the Economics of Information Security (2019) (to appear)
    Preview abstract HTTPS is vital to protecting the security and privacy of users on the Internet. As the cryptographic algorithms and standards underlying HTTPS evolve to meet emerging threats, website owners are responsible for updating and maintaining their HTTPS configurations. In practice, millions of hosts have misconfigured and insecure configurations. In addition to presenting security and privacy risks, misconfigurations can harm user experience on the web, when browsers show warnings for deprecated and outdated protocols. We investigate whether sending direct notifications to the owners of misconfigured sites can motivate them to fix or improve HTTPS misconfigurations, such as outdated ciphersuites or certificates that will expire soon. We conducted a multivariate randomized controlled experiment testing multiple variations of message content through two different notification channels. We find that security notifications alone have a moderate impact on remediation outcomes, similar to or less than notifications for other types of security vulnerabilities. We discuss how notifications can be used in conjunction with other incentives and outreach campaigns, and identify future directions for improving the security of the HTTPS ecosystem. View details
    Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate
    Ryan Sleevi
    Rijad Muminović
    Devon O'Brien
    Eran Messeri
    Brendan McMillion
    Proceedings of the IEEE Symposium on Security & Privacy (2019) (to appear)
    Preview abstract Certificate Transparency (CT) is an emerging system for enabling the rapid discovery of malicious or misissued certificates. Initially standardized in 2013, CT is now finally beginning to see widespread support. Although CT provides desirable security benefits, web browsers cannot begin requiring all websites to support CT at once, due to the risk of breaking large numbers of websites. We discuss challenges for deployment, analyze the adoption of CT on the web, and measure the error rates experienced by users of the Google Chrome web browser. We find that CT has so far been widely adopted with minimal breakage and warnings. Security researchers often struggle with the tradeoff between security and user frustration: rolling out new security requirements often causes breakage. We view CT as a case study for deploying ecosystem-wide change while trying to minimize end user impact. We discuss the design properties of CT that made its success possible, as well as draw lessons from its risks and pitfalls that could be avoided in future large-scale security deployments. View details
    Measuring HTTPS adoption on the web
    Richard Barnes
    April King
    Chris Palmer
    Chris Bentzel
    USENIX Security (2017)
    Preview abstract HTTPS ensures that the Web has a base level of privacy and integrity. Security engineers, researchers, and browser vendors have long worked to spread HTTPS to as much of the Web as possible via outreach efforts, developer tools, and browser changes. How much progress have we made toward this goal of widespread HTTPS adoption? We gather metrics to benchmark the status and progress of HTTPS adoption on the Web in 2017. To evaluate HTTPS adoption from a user perspective, we collect large-scale, aggregate user metrics from two major browsers (Google Chrome and Mozilla Firefox). To measure HTTPS adoption from a Web developer perspective, we survey server support for HTTPS among top and long-tail websites. We draw on these metrics to gain insight into the current state of the HTTPS ecosystem. View details
    Where the Wild Warnings Are: Root Causes of Chrome Certificate Errors
    Sascha Fahl
    Radhika Bhargava
    Bhanu Dev
    Matt Braithwaite
    Ryan Sleevi
    Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (2017)
    Preview abstract HTTPS error warnings are supposed to alert browser users to network attacks. Unfortunately, a wide range of non-attack circumstances trigger hundreds of millions of spurious browser warnings per month. Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings. We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors. We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. After manually reviewing more than 2,000 error reports, we developed automated rules to classify the top causes of HTTPS error warnings. We are able to automatically diagnose the root causes of two-thirds of error reports. To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations. Based on these findings, we implemented more actionable warnings and other browser changes to address client-side error causes. We further propose solutions for other classes of root causes. View details
    Denial of Service or Denial of Security? How Attacks can Compromize Anonymity
    Nikita Borisov
    George Danezis
    Prateek Mittal
    Conference on Computer and Communications Security, ACM, Alexandria, VA (2007)
    Preview
    Byzantine Attacks on Anonymity Systems
    Nikita Borisov
    George Danezis
    Digital Privacy: Theory, Technologies, and Practices (2007)
    Preview