cispa_all_3850.pdf (871.08 kB)

Pareto-Optimal Defenses for the Web Infrastructure: Theory and Practice

Download (871.08 kB)
journal contribution
posted on 2023-11-29, 18:06 authored by Giorgio Di Tizio, Patrick Speicher, Milivoj Simeonovski, Michael BackesMichael Backes, Ben StockBen Stock, Robert KünnemannRobert Künnemann
The integrity of the content a user is exposed to when browsing the web relies on a plethora of non-web technologies and an infrastructure of interdependent hosts, communication technologies, and trust relations. Incidents like the Chinese Great Cannon or the MyEtherWallet attack make it painfully clear: the security of end users hinges on the security of the surrounding infrastructure: routing, DNS, content delivery, and the PKI. There are many competing, but isolated proposals to increase security, from the network up to the application layer. So far, researchers have focus on analyzing attacks and defenses on specific layers. We still lack an evaluation of how, given the status quo of the web, these proposals can be combined, how effective they are, and at what cost the increase of security comes. In this work, we propose a graph-based analysis based on Stackelberg planning that considers a rich attacker model and a multitude of proposals from IPsec to DNSSEC and SRI. Our threat model considers the security of billions of users against attackers ranging from small hacker groups to nation-state actors. Analyzing the infrastructure of the Top 5k Alexa domains, we discover that the security mechanisms currently deployed are ineffective and that some infrastructure providers have a comparable threat potential to nations. We find a considerable increase of security (up to 13% protected web visits) is possible at relatively modest cost, due to the effectiveness of mitigations at the application and transport layer, which dominate expensive infrastructure enhancements such as DNSSEC and IPsec.


Preferred Citation

Tizio Di, Patrick Speicher, Milivoj Simeonovski, Michael Backes, Ben Stock and Robert Künnemann. Pareto-Optimal Defenses for the Web Infrastructure: Theory and Practice. In: ACM Transactions on Privacy and Security. 2022.

Primary Research Area

  • Threat Detection and Defenses

Secondary Research Area

  • Empirical and Behavioral Security

Legacy Posted Date



ACM Transactions on Privacy and Security

Open Access Type

  • Green

Sub Type

  • Article


@article{cispa_all_3850, title = "Pareto-Optimal Defenses for the Web Infrastructure: Theory and Practice", author = "Di Tizio, Giorgio and Speicher, Patrick and Simeonovski, Milivoj and Backes, Michael and Stock, Ben and Künnemann, Robert", journal="{ACM Transactions on Privacy and Security}", year="2022", }

Usage metrics


    No categories selected


    Ref. manager