University of Illinois Urbana-Champaign

URL location ambiguity

Reynolds, Joshua

This item's files can only be accessed by the Administrator group.

Permalink

https://hdl.handle.net/2142/117547

Description

Title
URL location ambiguity
Author(s)
Reynolds, Joshua
Issue Date
2022-11-14
Director of Research (if dissertation) or Advisor (if thesis)
Bailey, Michael D
Doctoral Committee Chair(s)
Bailey, Michael D
Committee Member(s)
  • Gunter, Carl
  • Bates, Adam
  • Seamons, Kent
Department of Study
Computer Science
Discipline
Computer Science
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
Ph.D.
Degree Level
Dissertation
Keyword(s)
  • uniform resource locators
  • http
  • security
  • parsing ambiguity
  • network security
  • usable security
Abstract
The Web is a ubiquitous tool for a wide range of stakeholders–all of whom rely on the ability to reliably locate remote resources. Uniform Resource Locators (URLs) guide the tens of trillions of HyperText Transfer Protocol (HTTP) requests in the Internet every day. If URLs are ambiguously understood, then the Web loses the ability to reliably locate resources. Attackers can take advantage of the ambiguity to misdirect both humans and their computers to untrustworthy resources. We show that for both humans and machines, URL complexity causes parsing inconsistencies that undermine security assumptions of HTTP. The processes users use to parse identity from URLs are insufficient to handle complex URLs – leaving Web users vulnerable to misdirection. We identify and categorize nine differences in URL parsing across more than a dozen URL parsers that enable us to engineer “equivocal URLs.” These equivocal URLs can cause false positives in malicious URL classifiers when the classifier’s URL parser is different from the URL parser of the client it is protecting. We measure added URL complexity stemming from the fact that both users and back-end systems share reliance on URLs. We evaluate the feasibility of reducing URL complexity by moving humans away from direct URL interaction.
Graduation Semester
2022-12
Type of Resource
Thesis
Copyright and License Information
©2022 Joshua Reynolds

Owning Collections

Graduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at Illinois