General audience texts
Besides the scholarly publications listed below, I have written many texts in English and German. My more notable German texts appeared by DNIP.ch. I also maintain document collections intended for a broad audience:
Scholarly publications
Up-to-date citation counts (provided by Google Scholar). List of patents granted.
2018
Matthias Held; Marcel Waldvogel
Fighting Ransomware with Guided Undo Proceedings Article
In: Proceedings of NISK 2018, 2018.
Abstract | BibTeX | Tags: Cloud Storage, Intrusion Detection, Ransomware, Replication, Security, Usability, Web Applications | Links:
@inproceedings{Held2018FightingRansomware,
title = {Fighting Ransomware with Guided Undo},
author = {Matthias Held and Marcel Waldvogel},
url = {https://netfuture.ch/wp-content/uploads/2018/07/held2018fightingransomware.pdf
https://netfuture.ch/wp-content/uploads/2018/09/ransomware_detection.pdf
https://netfuture.ch/wp-content/uploads/2018/09/2018-ransomware.odp},
year = {2018},
date = {2018-09-18},
urldate = {1000-01-01},
booktitle = {Proceedings of NISK 2018},
abstract = {Ransomware attacks are rare, yet catastrophic. On closer inspection, they differ from other malware infections: Given appropriate preparation, they do not need to be caught on first sight, but can be undone later. However, current ransomware protection follows the beaten path of anti-malware copying their fallacies. We show how the move to personal cloud storage allows for a paradigm shift in ransomware protection: exceptional attack isolation, perfect elimination of false positive alerts, and simplified recovery.
In this paper, we analyze the necessary operations for ransomware, extend existing ransomware taxonomy, and verify them against real-world malware samples. We analyze the costs and benefits of moving ransomware detection to versioned personal cloud storage. Our content, meta data, and behavior analysis paired with a `guilt by association' capability greatly improve the false positive rate, but the guided undo make this rate all but inconsequential. Even though the user now carries a new burden, it comes with clear responsibilities and benefits, while being freed from questionable duties, resulting in a win-win situation for user experience and detection quality.
},
keywords = {Cloud Storage, Intrusion Detection, Ransomware, Replication, Security, Usability, Web Applications},
pubstate = {published},
tppubtype = {inproceedings}
}
Ransomware attacks are rare, yet catastrophic. On closer inspection, they differ from other malware infections: Given appropriate preparation, they do not need to be caught on first sight, but can be undone later. However, current ransomware protection follows the beaten path of anti-malware copying their fallacies. We show how the move to personal cloud storage allows for a paradigm shift in ransomware protection: exceptional attack isolation, perfect elimination of false positive alerts, and simplified recovery.
In this paper, we analyze the necessary operations for ransomware, extend existing ransomware taxonomy, and verify them against real-world malware samples. We analyze the costs and benefits of moving ransomware detection to versioned personal cloud storage. Our content, meta data, and behavior analysis paired with a `guilt by association’ capability greatly improve the false positive rate, but the guided undo make this rate all but inconsequential. Even though the user now carries a new burden, it comes with clear responsibilities and benefits, while being freed from questionable duties, resulting in a win-win situation for user experience and detection quality.
In this paper, we analyze the necessary operations for ransomware, extend existing ransomware taxonomy, and verify them against real-world malware samples. We analyze the costs and benefits of moving ransomware detection to versioned personal cloud storage. Our content, meta data, and behavior analysis paired with a `guilt by association’ capability greatly improve the false positive rate, but the guided undo make this rate all but inconsequential. Even though the user now carries a new burden, it comes with clear responsibilities and benefits, while being freed from questionable duties, resulting in a win-win situation for user experience and detection quality.
2017
Marcel Waldvogel; Thomas Zink
X.509 User Certificate-based Two-Factor Authentication for Web Applications Proceedings Article
In: Müller, Paul; Neumair, Bernhard; Reiser, Helmut; Dreo Rodosek, Gabi (Ed.): 10. DFN-Forum Kommunikationstechnologien, 2017.
Abstract | BibTeX | Tags: Federated Services, Identity Management, Passwords, Security, Usability, Web Applications, X.509 | Links:
@inproceedings{Waldvogel-X509,
title = {X.509 User Certificate-based Two-Factor Authentication for Web Applications},
author = {Marcel Waldvogel and Thomas Zink},
editor = {Paul Müller and Bernhard Neumair and Helmut Reiser and Dreo Rodosek, Gabi},
url = {https://netfuture.ch/wp-content/uploads/2018/05/x509auth.pdf
},
year = {2017},
date = {2017-05-30},
urldate = {1000-01-01},
booktitle = {10. DFN-Forum Kommunikationstechnologien},
abstract = {An appealing property to researchers, educators, and students is the openness of the physical environment and IT infrastructure of their organizations. However, to the IT administration, this creates challenges way beyond those of a single-purpose business or administration. Especially the personally identifiable information or the power of the critical functions behind these logins, such as financial transactions or manipulating user accounts, require extra protection in the heterogeneous educational environment with single-sign-on. However, most web-based environments still lack a reasonable second-factor protection or at least the enforcement of it for privileged operations without hindering normal usage.
In this paper we introduce a novel and surprisingly simple yet extremely flexible way to implement two-factor authentication based on X.509 user certificates in web applications. Our solution requires only a few lines of code in web server configuration and none in the application source code for basic protection. Furthermore, since it is based on X.509 certificates, it can be easily combined with smartcards or USB cryptotokens to further enhance security.},
keywords = {Federated Services, Identity Management, Passwords, Security, Usability, Web Applications, X.509},
pubstate = {published},
tppubtype = {inproceedings}
}
An appealing property to researchers, educators, and students is the openness of the physical environment and IT infrastructure of their organizations. However, to the IT administration, this creates challenges way beyond those of a single-purpose business or administration. Especially the personally identifiable information or the power of the critical functions behind these logins, such as financial transactions or manipulating user accounts, require extra protection in the heterogeneous educational environment with single-sign-on. However, most web-based environments still lack a reasonable second-factor protection or at least the enforcement of it for privileged operations without hindering normal usage.
In this paper we introduce a novel and surprisingly simple yet extremely flexible way to implement two-factor authentication based on X.509 user certificates in web applications. Our solution requires only a few lines of code in web server configuration and none in the application source code for basic protection. Furthermore, since it is based on X.509 certificates, it can be easily combined with smartcards or USB cryptotokens to further enhance security.
In this paper we introduce a novel and surprisingly simple yet extremely flexible way to implement two-factor authentication based on X.509 user certificates in web applications. Our solution requires only a few lines of code in web server configuration and none in the application source code for basic protection. Furthermore, since it is based on X.509 certificates, it can be easily combined with smartcards or USB cryptotokens to further enhance security.
Thomas Zink; Marcel Waldvogel
X.509 User Certificate-based Two-Factor Authentication for Web Applications Technical Report
Distributed Systems Laboratory, University of Konstanz no. KN-2017-DISY-03, 2017.
Abstract | BibTeX | Tags: Certificates, Identity Management, Security, Two-Factor Authentication, Usability, Web Applications, X509 | Links:
@techreport{Zink2017X509,
title = {X.509 User Certificate-based Two-Factor Authentication for Web Applications},
author = {Thomas Zink and Marcel Waldvogel},
url = {https://netfuture.ch/wp-content/uploads/2017/03/kn-2017-disy-03.pdf},
year = {2017},
date = {2017-03-14},
urldate = {1000-01-01},
number = {KN-2017-DISY-03},
institution = {Distributed Systems Laboratory, University of Konstanz},
abstract = {An appealing property to researchers, educators, and students is the openness
of the physical environment and IT infrastructure of their organizations. How-
ever, to the IT administration, this creates challenges way beyond those of a
single-purpose business or administration. Especially the personally identifiable
information or the power of the critical functions behind these logins, such as
financial transactions or manipulating user accounts, require extra protection in
the heterogeneous educational environment with single-sign-on. However, most
web-based environments still lack a reasonable second-factor protection or at
least the enforcement of it for privileged operations without hindering normal
usage.
In this paper we introduce a novel and surprisingly simple yet extremely flex-
ible way to implement two-factor authentication based on X.509 user certificates
in web applications. Our solution requires only a few lines of code in web server
configuration and none in the application source code for basic protection. Fur-
thermore, since it is based on X.509 certificates, it can be easily combined with
smartcards or USB cryptotokens to further enhance security.},
keywords = {Certificates, Identity Management, Security, Two-Factor Authentication, Usability, Web Applications, X509},
pubstate = {published},
tppubtype = {techreport}
}
An appealing property to researchers, educators, and students is the openness
of the physical environment and IT infrastructure of their organizations. How-
ever, to the IT administration, this creates challenges way beyond those of a
single-purpose business or administration. Especially the personally identifiable
information or the power of the critical functions behind these logins, such as
financial transactions or manipulating user accounts, require extra protection in
the heterogeneous educational environment with single-sign-on. However, most
web-based environments still lack a reasonable second-factor protection or at
least the enforcement of it for privileged operations without hindering normal
usage.
In this paper we introduce a novel and surprisingly simple yet extremely flex-
ible way to implement two-factor authentication based on X.509 user certificates
in web applications. Our solution requires only a few lines of code in web server
configuration and none in the application source code for basic protection. Fur-
thermore, since it is based on X.509 certificates, it can be easily combined with
smartcards or USB cryptotokens to further enhance security.
of the physical environment and IT infrastructure of their organizations. How-
ever, to the IT administration, this creates challenges way beyond those of a
single-purpose business or administration. Especially the personally identifiable
information or the power of the critical functions behind these logins, such as
financial transactions or manipulating user accounts, require extra protection in
the heterogeneous educational environment with single-sign-on. However, most
web-based environments still lack a reasonable second-factor protection or at
least the enforcement of it for privileged operations without hindering normal
usage.
In this paper we introduce a novel and surprisingly simple yet extremely flex-
ible way to implement two-factor authentication based on X.509 user certificates
in web applications. Our solution requires only a few lines of code in web server
configuration and none in the application source code for basic protection. Fur-
thermore, since it is based on X.509 certificates, it can be easily combined with
smartcards or USB cryptotokens to further enhance security.
2014
Thomas Zink; Oliver Haase; Marcel Waldvogel
Webharvesting von Publikationsdaten Technical Report
University of Konstanz no. KN-2014-DISY-02, 2014.
Abstract | BibTeX | Tags: Web Applications, Web Archiving | Links:
@techreport{Zink2014Webharvesting,
title = {Webharvesting von Publikationsdaten},
author = {Thomas Zink and Oliver Haase and Marcel Waldvogel},
url = {https://netfuture.ch/wp-content/uploads/2018/09/zink2014webharvesting.pdf},
year = {2014},
date = {2014-10-01},
urldate = {1000-01-01},
number = {KN-2014-DISY-02},
institution = {University of Konstanz},
abstract = {Forschungsarbeiten, -daten und -resultate an Universitäten und Hochschulen werden immer häufiger nicht mehr als Schriftstück, sondern exklusiv auf Webseiten im Internet und Intranet veröffentlicht und dokumentiert. Diese werden bisher nur ungenügend und unvollständig archiviert. Dadurch entstehen potentiell große Lücken in der Archivierung und künftigen Dokumentation. Zudem beeinträchtigt dies die Nachvollziehbarkeit und Reproduzierbarkeit, beides Eigenschaften, die besonders im wissenschaftlichen Kontext einen hohen Stellwert haben.},
keywords = {Web Applications, Web Archiving},
pubstate = {published},
tppubtype = {techreport}
}
Forschungsarbeiten, -daten und -resultate an Universitäten und Hochschulen werden immer häufiger nicht mehr als Schriftstück, sondern exklusiv auf Webseiten im Internet und Intranet veröffentlicht und dokumentiert. Diese werden bisher nur ungenügend und unvollständig archiviert. Dadurch entstehen potentiell große Lücken in der Archivierung und künftigen Dokumentation. Zudem beeinträchtigt dies die Nachvollziehbarkeit und Reproduzierbarkeit, beides Eigenschaften, die besonders im wissenschaftlichen Kontext einen hohen Stellwert haben.
Thomas Zink; Oliver Haase; Marcel Waldvogel
Automatische Identifikation relevanter Domains zur Web-Archivierung Technical Report
University of Konstanz no. KN-2014-DISY-01, 2014.
Abstract | BibTeX | Tags: Web Applications, Web Archiving | Links:
@techreport{Zink2014AutomatischeDomains,
title = {Automatische Identifikation relevanter Domains zur Web-Archivierung},
author = {Thomas Zink and Oliver Haase and Marcel Waldvogel},
url = {https://netfuture.ch/wp-content/uploads/2018/09/zink2014automatischedomains.pdf},
year = {2014},
date = {2014-10-01},
urldate = {1000-01-01},
number = {KN-2014-DISY-01},
institution = {University of Konstanz},
abstract = {Oftmals werden Organisationen und Forschungseinrichtungen wie Hochschulen und Universitäten durch viele verschiedene Domains repräsentiert, die auf mehreren Webservern gehostet werden. Dem Anwender sind diese oftmals nicht gänzlich bekannt, da Arbeitsgruppen, Institute, etc. ihre eigenen Domains und Webserver – unter Umständen auch extern gehostet – haben können. Für die Web-Archivierung in großen Organisationen stellt dies ein Problem dar, da a priori nicht bekannt ist, welche Domains archiviert werden müssen. Diese sollten automatisch erkannt werden. Das Hauptproblem dabei besteht darin, eine Zugehörigkeit von Domains zur Organisation festzustellen. Wir stellen verschiedene Verfahren vor, die vor und während des Harvestens angewand werden können, um dynamisch zu entscheiden, welche Domains dem Archiv hinzugefügt werden müssen.},
keywords = {Web Applications, Web Archiving},
pubstate = {published},
tppubtype = {techreport}
}
Oftmals werden Organisationen und Forschungseinrichtungen wie Hochschulen und Universitäten durch viele verschiedene Domains repräsentiert, die auf mehreren Webservern gehostet werden. Dem Anwender sind diese oftmals nicht gänzlich bekannt, da Arbeitsgruppen, Institute, etc. ihre eigenen Domains und Webserver – unter Umständen auch extern gehostet – haben können. Für die Web-Archivierung in großen Organisationen stellt dies ein Problem dar, da a priori nicht bekannt ist, welche Domains archiviert werden müssen. Diese sollten automatisch erkannt werden. Das Hauptproblem dabei besteht darin, eine Zugehörigkeit von Domains zur Organisation festzustellen. Wir stellen verschiedene Verfahren vor, die vor und während des Harvestens angewand werden können, um dynamisch zu entscheiden, welche Domains dem Archiv hinzugefügt werden müssen.
Marcel Waldvogel; Klaus Herberth; Daniel Scharon
Chat in Forschung und Lehre? Sicher! Journal Article
In: DFN-Mitteilungen, no. 86, pp. 38-41, 2014, ISSN: 0177-6894.
Abstract | BibTeX | Tags: Federated Services, Privacy, Security, Social Networks, Video Chat, Web Applications, XMPP | Links:
@article{Waldvogel2014Chat,
title = {Chat in Forschung und Lehre? Sicher!},
author = {Marcel Waldvogel and Klaus Herberth and Daniel Scharon},
url = {https://netfuture.ch/wp-content/uploads/2014/05/Waldvogel2014Chat.pdf
https://www.dfn.de/publikationen/dfnmitteilungen/},
issn = {0177-6894},
year = {2014},
date = {2014-05-23},
urldate = {1000-01-01},
journal = {DFN-Mitteilungen},
number = {86},
pages = {38-41},
abstract = {Instant Messaging, Audio- und Videoanrufe, kurz Chat, ist aus unserem täglichen Leben nicht mehr wegzudenken. Die meisten nutzen dafür geschlossene Systeme, die für den Privatgebrauch bequem sind, für den dienstlichen Einsatz in Forschung und Lehre aber an Datenschutz und Privatsphäre scheitern. Das muss nicht so sein: Auf Basis des offenen, föderierten Extensible Messaging and Presence Protocols (XMPP) bietet WISEchat webbasiert und -integriert die Sicherheit, den Komfort und die Erweiterbarkeit, die eine moderne Hochschule braucht. Die Hintergründe, Vorteile und Zukunftssicherheit erläutern wir anhand einiger konkreter Beispiele.},
keywords = {Federated Services, Privacy, Security, Social Networks, Video Chat, Web Applications, XMPP},
pubstate = {published},
tppubtype = {article}
}
Instant Messaging, Audio- und Videoanrufe, kurz Chat, ist aus unserem täglichen Leben nicht mehr wegzudenken. Die meisten nutzen dafür geschlossene Systeme, die für den Privatgebrauch bequem sind, für den dienstlichen Einsatz in Forschung und Lehre aber an Datenschutz und Privatsphäre scheitern. Das muss nicht so sein: Auf Basis des offenen, föderierten Extensible Messaging and Presence Protocols (XMPP) bietet WISEchat webbasiert und -integriert die Sicherheit, den Komfort und die Erweiterbarkeit, die eine moderne Hochschule braucht. Die Hintergründe, Vorteile und Zukunftssicherheit erläutern wir anhand einiger konkreter Beispiele.
Klaus Herberth; Daniel Kaiser; Daniel Scharon; Marcel Waldvogel
Interaktive Webseiten für effiziente Kooperation auf Basis offener Standards Technical Report
University of Konstanz no. KN-2014-DiSy-002, 2014.
Abstract | BibTeX | Tags: Collaboration, Privacy, Security, Social Networks, Video Chat, Web Applications, XMPP | Links:
@techreport{herberth14interaktive,
title = {Interaktive Webseiten für effiziente Kooperation auf Basis offener Standards},
author = {Klaus Herberth and Daniel Kaiser and Daniel Scharon and Marcel Waldvogel},
url = {https://netfuture.ch/wp-content/uploads/2014/01/herberth14interaktive.pdf},
year = {2014},
date = {2014-01-18},
urldate = {1000-01-01},
number = {KN-2014-DiSy-002},
institution = {University of Konstanz},
abstract = {Homepages von Forschern, Informationsseiten der Verwaltung, Support- und Beratungsseiten, Webmail oder sonstige Groupware begleiten uns bei der täglichen Arbeit im akademischen Umfeld. Unmittelbare Rückfragen zu den Inhalten oder Interaktionen sind jedoch weiterhin nicht möglich; eine Integration von Direktkontakten wäre häufig angenehm und hilfreich. Swoosch, unsere Javascript-Bibliothek auf Basis der offenen Standards XMPP, HTML5 und WebRTC, bietet hier Abhilfe. Auf einfachste Weise lassen sich so bestehende Webseiten und -anwendungen transparent um Funktionen für Instant Messaging inklusive Videokonferenz erweitern und neue Beratungs- und Kommunikationskanäle eröffnen, bei denen die Privatsphäre durch Ende-zu-Ende-Verschlüsselung gesichert ist. Die Erfahrungen in den Testinstallationen zeigten nahtlose Integration, niedrige Eintrittsschwelle, Geschwindigkeit und Benutzerfreundlichkeit. Durch die inhärente Föderation von XMPP ist der Dienst auch über die Organisationsgrenzen hinaus einsetzbar. Dank seiner offenen Standards ist Swoosch beinahe beliebig integrier- und erweiterbar.},
keywords = {Collaboration, Privacy, Security, Social Networks, Video Chat, Web Applications, XMPP},
pubstate = {published},
tppubtype = {techreport}
}
Homepages von Forschern, Informationsseiten der Verwaltung, Support- und Beratungsseiten, Webmail oder sonstige Groupware begleiten uns bei der täglichen Arbeit im akademischen Umfeld. Unmittelbare Rückfragen zu den Inhalten oder Interaktionen sind jedoch weiterhin nicht möglich; eine Integration von Direktkontakten wäre häufig angenehm und hilfreich. Swoosch, unsere Javascript-Bibliothek auf Basis der offenen Standards XMPP, HTML5 und WebRTC, bietet hier Abhilfe. Auf einfachste Weise lassen sich so bestehende Webseiten und -anwendungen transparent um Funktionen für Instant Messaging inklusive Videokonferenz erweitern und neue Beratungs- und Kommunikationskanäle eröffnen, bei denen die Privatsphäre durch Ende-zu-Ende-Verschlüsselung gesichert ist. Die Erfahrungen in den Testinstallationen zeigten nahtlose Integration, niedrige Eintrittsschwelle, Geschwindigkeit und Benutzerfreundlichkeit. Durch die inhärente Föderation von XMPP ist der Dienst auch über die Organisationsgrenzen hinaus einsetzbar. Dank seiner offenen Standards ist Swoosch beinahe beliebig integrier- und erweiterbar.
2011
Pascal Gienger; Marcel Waldvogel
Polybius: Secure Web Single-Sign-On for Legacy Applications Proceedings Article
In: 4. DFN-Forum Kommunikationstechnologien, 2011.
Abstract | BibTeX | Tags: Cloud Storage, Identity Management, Security, Trust, Web Applications | Links:
@inproceedings{Gienger2011Polybius,
title = {Polybius: Secure Web Single-Sign-On for Legacy Applications},
author = {Pascal Gienger and Marcel Waldvogel},
url = {https://netfuture.ch/wp-content/uploads/2011/gienger11polybius.pdf},
year = {2011},
date = {2011-06-20},
urldate = {1000-01-01},
booktitle = {4. DFN-Forum Kommunikationstechnologien},
abstract = {Web-based interfaces to applications in all domains of university life are surging. Given the diverse demands in and the histories of universities, combined with the rapid IT industry developments, all attempts at a sole all-encompassing platform for single-sign-on (SSO) will remain futile. In this paper, we present an architecture for a meta-SSO, which is able to seamlessly integrate with a wide variety of existing local sign-in and SSO mechanisms. It is therefore an excellent candidate for a university-wide all-purpose SSO system. Among the highlights are: No passwords are ever stored on disk, neither in the browser nor in the gateway; its basics have been implemented in a simple, yet versatile Apache module; and it can help reducing the impact of security problems anywhere in the system. It could even form the basis for secure inter-university collaborations and mutual outsourcing.},
keywords = {Cloud Storage, Identity Management, Security, Trust, Web Applications},
pubstate = {published},
tppubtype = {inproceedings}
}
Web-based interfaces to applications in all domains of university life are surging. Given the diverse demands in and the histories of universities, combined with the rapid IT industry developments, all attempts at a sole all-encompassing platform for single-sign-on (SSO) will remain futile. In this paper, we present an architecture for a meta-SSO, which is able to seamlessly integrate with a wide variety of existing local sign-in and SSO mechanisms. It is therefore an excellent candidate for a university-wide all-purpose SSO system. Among the highlights are: No passwords are ever stored on disk, neither in the browser nor in the gateway; its basics have been implemented in a simple, yet versatile Apache module; and it can help reducing the impact of security problems anywhere in the system. It could even form the basis for secure inter-university collaborations and mutual outsourcing.
