Pareto-Optimal Defensive Strategies for Securing the Web

We present the results from the paper Pareto-Optimal Defensive Strategies for Securing the Web as an interactive web application.

1. Select an attacker.

You can select between some countries, important infrastructure providers and a hacker group mimicking the 2018 attack on MyEtherwallet.

2. Activate the mitigation you want to consider and chose cost.

Activate the mitigations you want to be considered in the analysis. The default costs are displayed next to the mitigations. You are able to edit these cost and by that potentially change the resulting optimal defensive strategy and total cost. For computing the total cost, the cost of a mitigation is multiplied with the number of domains for which it is implemented.


IPsec  
$
DNSSEC  
$
DANE  
$
Certificate Transparency  
$
SRI  
$
Upgrade Requests HTTPS  
$
Secure HTTPS inclusions  
$
H3 (HTTPS, HTTPS-Redirection, HSTS)  
$

3. Investigate effectiveness and cost.

Affected visitors:  
Secured visitors:  
Total cost:  

4. Inspect Pareto frontier.

The Pareto frontier contains of all combinations of these mitigations that are not dominated by another combinations, i.e., the other combination has lower cost while achieving the same or even better decrease of attack success or vice versa. The remaining combinations are plotted on a graph mapping cost to how many visitors are still affected. Hover next to each point on the plot to find out how they combine.

Due to the high relative cost of IPSec, cheaper mitigations are clustered to the left; please use the zoom tool to inspect those.

5. Store config or results.