Mobile phones connect to the Internet and receive calls using a cellular baseband chip. I researched the iPhone's interface between the operating system and basebands from Qualcomm. In the process, I developed tools that provide further insights into Apple's wireless ecosystem, such as the iPhone 14's novel satellite communication capabilities.

Basebands pose a substantial attack surface, as they do not only process but also decrypt personal data. For cellular attacks, an RBS forces nearby smartphones to connect with it. Once a connection is established, adversaries can record identity information and locations, intercept or manipulate traffic, and execute arbitrary code by exploiting vulnerabilities in the smartphone's baseband stack. RBSes are stealthy as smartphones do not display any indications of compromise to the user. Based on my research into the iPhone's baseband interface and Apple's proprietary cell tower location database, I created the CellGuard iOS app. It alerts users about potential RBSes nearby. During a two-month evaluation period, I collected data on multiple devices using CellGuard and uncovered two dozen potential RBSes.

Cross-site scripting (XSS) is a web vulnerability that allows attackers to execute arbitrary JavaScript code in a victim’s browser. Although a lot of time has passed since its discovery in 1999, XSS is still a concerning problem for a lot of websites on the internet until this day. Also, with the current trend of shifting the code of web applications to the client-side and the resulting increase in complexity of client-side code, the prevalence of client-side XSS vulnerabilities is also getting more severe.

Therefore, to defend against these vulnerabilities, Google introduced a new web API called Trusted Types. Trusted Types eliminate the root causes of client-side XSS vulnerabilities by locking dangerous DOM and JavaScript API functions to only allow input in the form of a Trusted Types object. However, at the time of this work only a small amount of websites were actively using Trusted Types to protect their services against client-side XSS vulnerabilities. This raised the question why this is the case and how we can help and encourage web developers to deploy Trusted Types on their websites. To answer these questions, I conducted a qualitative study similar to the one in "12 Angry Developers - A Qualitative Study on Developers' Struggles with CSP" by Roth et al. (ACM '21). The study provided me with a lot of information that I was able to utilize to uncover some issues in the usability of Trusted Types that prevent web developers from using or correctly implementing the security mechanism. Furthermore, I also made some efforts to provide a better usability by creating an implementation guideline for web developers that can be used to securely implement Trusted Types.

OpenPGP is used for encryption and signing of data, especially e-mails. It requires distribution and verification of public keys. However, the historical approaches of key servers and the Web of Trust have shown several deficiencies, leading to the development of new key exchange methods. I describe and analyze the OpenPGP key exchange method "Web Key Directory".

The analysis revealed inconsistencies and specification gaps in the Web Key Directory specification draft. The main assumption of the Web Key Directory Update Protocol turns out to be too vague. I analyzed several scenarios and interpretations of the main assumption, showing that the Web Key Directory Update Protocol is vulnerable in most of them. Furthermore, I found errors in the reference implementation, which can be utilized for an attack that requires almost no assumptions. It allows an attacker to illegitimately publish OpenPGP keys for any e-mail address for any domain of a Web Key Directory provider.

Mobile contact discovery is a convenience feature of messengers such as WhatsApp or Telegram that helps users to identify which of their existing contacts are registered with the service. Unfortunately, the contact discovery implementation of many popular messengers massively violates the users' privacy as demonstrated by Hagen et al. (NDSS '21, ACM TOPS '23). Unbalanced private set intersection (PSI) protocols are a promising cryptographic solution to realize mobile private contact discovery, however, state-of-the-art protocols do not scale to real-world database sizes with billions of registered users in terms of communication and/or computation overhead.

In this work, I make significant steps towards truly practical large-scale mobile private contact discovery. For this, I combine and substantially optimize the unbalanced PSI protocol of Kales et al. (USENIX Security '19) and the private information retrieval (PIR) protocol of Kogan and Corrigan-Gibbs (USENIX Security '21). The resulting protocol has a total communication overhead that is sublinear in the size of the server's user database and also has sublinear online runtimes. I optimize this protocol by introducing database partitioning and efficient scheduling of user queries. To handle realistic change rates of databases and contact lists, I propose and evaluate different possibilities for efficient updates with promising results.

The Transport Layer Security (TLS) protocol aims to ensure the authenticity and confidentiality of arbitrary internet traffic. However, it intentionally leaks the server's hostname during a client's connection attempt. This leakage makes TLS-encrypted traffic susceptible to malicious interception and censorship. To address this issue, the Encrypted Server Name Indication (ESNI), and later the EncryptedClientHello (ECH) extension, was invented to encrypt the server's hostname and conceal the connection's destination. ESNI and ECH can be combined with encrypted hostname resolution with DNS over HTTPS (DoH) or DNS over TLS (DoT) to further veil the connection's destination.

In this thesis, I analyze the viability of ESNI/ECH for censorship circumvention by analyzing TLS servers and censors around the globe. I detect that widespread ESNI/ECH adoption remains limited, with only Cloudflare initially offering full support. Furthermore, I confirm ESNI censorship in China, introduce a novel TLS censorship circumvention technique involving fragmented TLS messages, and highlight DNS over HTTPS and DNS over TLS censorship in China and Iran. Finally, the thesis introduces an ESNI-Proxy for querying websites that do not support ESNI. I exemplify our results by accessing a censored Wikipedia page in China with ESNI and the introduced circumvention method.

QUIC is a new general-purpose transport protocol intended to supersede the defacto default internet protocol stack. It was designed to combine features of the Transmission Control Protocol (TCP), Transport Layer Security (TLS), and Hypertext Transfer Protocol (HTTP) into one protocol while improving upon them in key areas like performance and security. Version 1 of the QUIC protocol was standardized by the IETF in 2021. Since then the protocol is gaining more and more support from various big tech companies implementing the protocol for their servers. The protocol’s increasing prevalence on the web and its promise to improve security prompt the need for ways to perform security-focused analyses of the QUIC ecosystem. To this end, I propose and implement the QUIC-Scanner, an evolution of the open-source TLS scanning tool TLS-Scanner. The QUIC-Scanner can perform active tests against QUIC-enabled endpoints to analyze various QUIC-specific capabilities and configuration properties. Furthermore, with this thesis, I present the results of a large-scale scan of the 100k most popular websites utilizing the QUIC-Scanner. To the best of our knowledge, I provide the first large-scale scan of QUIC endpoints on the Internet that includes tests for QUIC features like connection migration and address validation. The scan identified a total of 13.3k QUIC-enabled endpoints among the 100k targets. I found that almost none of the targets perform QUIC’s address validation mechanism and only a small number of servers support QUIC’s connection migration capability.