Projects

Projects are grouped by research area. Open each project card to read deeper findings and citation details.

DNS

Internet-scale DNS measurements, deployment trends, and protocol behavior.

1 project

Project 1 of 1

Exploring the Ecosystem of DNS HTTPS Resource Records: An End-to-End Perspective

Topic and venue

IMC 2024 DNS HTTPS Measurement

Authors

Hongying Dong, Yizhe Zhang, Hyeonmin Lee, Shumon Huque, Yixin Sun

BibTex ↓

Summary

In this research, we investigated the adoption and management of DNS HTTPS records on both the server side (i.e., domains) and client side (i.e., web browsers). Specifically, we found that over 20% of Tranco’s top 1 million domains had DNS HTTPS records between May 2023 and March 2024, and major browsers utilize these records when establishing connections. Despite this growing adoption, our findings highlight challenges such as the proper maintenance of DNS HTTPS records and browser connection failures caused by misconfigurations.

Artifacts

We provide DNS HTTPS record datasets collected through daily scans of the Tranco Top 1 Million domains, along with code to reproduce the figures presented in our paper and scripts used for data collection.

💻

Code

Code to reproduce figures and scripts used to collect DNS data for Tranco domains.

Reproducing Figures

Use parsed data in data/parsed/ or plotting data in data/plotting/. Open the Jupyter notebooks in notebooks/ to generate the figures.

Data Collection

Scripts for issuing DNS queries and testing TLS connection establishment behavior, including mismatched IP cases.

GitHub (Analysis & Plots) GitHub (Data Collection)

📊

Dataset

Parsed DNS HTTPS measurements collected daily from our measurement server and released monthly.

Included Records

HTTPS (and RRSIG if available)
A, AAAA
NS, SOA

Daily CSV Files

apex_https.csv, www_https.csv
apex_flags.csv, www_flags.csv

ADQRRDRA CDAATC

Available Dataset Releases

File format: .tar.gz

Date (YYYY-MM)	Download	Misc.
2026-03	Download
2026-02	Download
2026-01	Download
2025-12	Download
2025-11	Download
2025-10	Download
2025-09	Download
2025-08	Download
2025-07	Download
2025-06	Download
2025-05	Download
2025-04	Download
2025-03	Download
2025-02	Download
2025-01	Download
2024-12	Download
2024-11	Download
2024-10	Download
2024-09	Download
2024-08	Download
2024-07	Download
2024-06	Download
2024-05	Download
2024-04	Download
2024-03	Download
2024-02	Download
2024-01	Download
2023-12	Download
2023-11	Download
2023-10	Download
2023-09	Download
2023-08	Download
2023-07	Download
2023-06	Download
2023-05	Download

Additional details are available. Expand sections below.

If you find this work helpful, please cite the paper

TLS/PKI

Certificate ecosystems, trust chains, and privacy implications in real deployments.

3 projects

Project 1 of 3

Inside Certificate Chains Beyond Public Issuers: Structure and Usage Analysis from a Campus Network

Topic and venue

IMC 2025 Certificate Chain Analysis

Authors

Hongying Dong, Yizhe Zhang, Hyeonmin Lee, Yixin Sun

BibTex ↓

Summary

We conduct research on TLS certificate chains issued by non-public issuers (absent from major browser root stores and the CCADB). Using one year of campus network traffic—259.3M TLS connections and 731,175 chains—we analyze how these chains are structured and deployed. We find unnecessary certificates frequently appear, causing inconsistent validation outcomes across clients, and observe a shift toward automated certificate management such as Let’s Encrypt.

Artifacts

📦

Dataset

Due to the sensitive nature of campus traffic, datasets are not publicly shared.

💻

Code

Code available on GitHub.

View on GitHub →

Additional details are available. Expand sections below.

If you find this work helpful, please cite the paper

Project 2 of 3

Mutual TLS in Practice: A Deep Dive into Certificate Configurations and Privacy Issues

Topic and venue

IMC 2024 Mutual TLS

Authors

Hongying Dong, Yizhe Zhang, Hyeonmin Lee, Kevin Du, Guancheng Tu, Yixin Sun

BibTex ↓

Summary

We analyze 1.2B mutual TLS connections over 23 months (2.2M server certs, 3.4M client certs). Findings cover security concerns, non-standard certificate sharing, and privacy-sensitive information embedded in certificates.

Artifacts

Code for privacy analysis in Section 6 of the paper.

Classifying information in CN and SAN

📦

Prerequisites

CCADB: Used to check issuer names (CSV export).
spaCy NER: Model en_core_web_trf-3.7.3.
Company datasets: BigPicture 2023 Q4 and People Data Labs 2019 lists.

💻

Code

Repository with analysis scripts.

GitHub Repository →

Some parameters/functions adjusted to protect sensitive campus data.

▶️

How to Run

Download prerequisites and analysis_code.py.

Set paths:

SPACY_NER_PATH = "/path/to/en_core_web_trf-3.7.3/"
CCADB_PATH = "/path/to/AllCertificateRecordsReport.csv"
COMPANY_DATA1_PATH = "/path/to/companies-2023-q4-sm.csv"
COMPANY_DATA2_PATH = "/path/to/companies_sorted.csv"
COMPANY_SIM_SEED_PATH = "/path/to/company_sim_seed.csv"
NER_SEED_PATH = "/path/to/ner_seed.csv"

Load datasets (raw data not provided):

def load_certificate_data():
    path = "/path/to/certificate_dataset"
    # df = load data with pandas
    return df

Run script to produce counts of each information type.

🔒

Dataset Availability

Raw certificate data and other artifacts are not public due to sensitive campus information.

Additional details are available. Expand sections below.

If you find this work helpful, please cite the paper

Project 3 of 3

Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild

Topic and venue

IMC 2023 IoT TLS Analysis

Authors

Hongying Dong, Hao Shu, Vijay Prakash, Yizhe Zhang, Muhammad Talha Paracha, David Choffnes, Santiago Torres-Arias, Danny Yuxing Huang, Yixin Sun

BibTex ↓

Summary

In this research, we conducted a quantitative analysis of TLS/PKI deployment in the IoT context, identifying associated security concerns. By measuring the sharing of TLS instances across IoT vendors and devices, we revealed a widespread use of highly customized TLS libraries that do not correspond to any known TLS implementations, posing potential security risks due to co-located TLS stacks from different services. Additionally, we performed the first known study on server-side certificate management for servers accessed by IoT devices. Our findings underscore critical issues in the TLS/PKI practices of IoT vendors and serve as a call to action, aiming to raise awareness of these security challenges within the broader IoT ecosystem.

Key Findings

Customization and Sharing of TLS Instances Across Vendors and Devices

The majority (77%) of fingerprints are only used by a single vendor, and more than 70% of vendors use at least one unique TLS fingerprint that is not used by other vendors. Additionally, 44.63% fingerprints contain at least one vulnerable component, 31.76% of which are used by multiple devices. Specifically, while only a small fraction of fingerprints are shared across devices within the same vendor, which are likely vendor-specific libraries, the vast majority are only used by a single device, potentially due to application-specific libraries from installed applications on devices. Sharing-wise, 22.48% of fingerprints are shared across multiple vendors, which could potentially be due to: (1) shared supply chain, or (2) shared applications and services.

**Figure:** TLS fingerprint overview by vendors. Numbered nodes represent device vendors (full mapping in paper Appendix B.6) and colored nodes represent fingerprints. Color blue suggests optimal/suboptimal fingerprints, and colors from orange to red suggest the inclusion of vulnerable versions and/or ciphersuites, with darker color indicating more vulnerable components. The security level of each fingerprint is also illustrated by the node size, with larger suggesting more vulnerable components (specific definition on security levels can be found in paper Section 4.2). Edges are only between vendors and fingerprints, indicating that at least one device of the vendor uses the fingerprint.

Self-Management of IoT Server Certificates

9.86% of all server leaf certificates, affecting 391 devices, are signed by device vendors instead of a trusted public CA. Consequently, these certificates are not logged in Certificate Transparency (CT) and many device vendors do not properly manage their certificates. Examples of such poor practice include long-expired certificates and lack of proper certificate chains. Among them, 46.67% have a validity period longer than 5 years.

**Figure:** Certificates of servers visited by IoT devices. X-axis shows device vendors, and is sorted by the number of appearances of manufactured devices in the dataset. Y-axis shows certificate validity period in days. Colors suggest different chain status: blue represents ‘public trust leaf and root certificates’, yellow speaks ‘private leaf, public trust root certificates’, and orange indicates ‘private leaf and root certificates’. The shape of point shows the corresponding status in CT, with the horizontal line denoting absence and the vertical line signifying its presence.

Additional details are available. Expand sections below.

If you find this work helpful, please cite the paper

Others

Additional directions such as routing, attack detection, and anonymous communications.

3 sections

Section 1 of 3

Internet Routing

Focus

BGP SCION

Summary

We work on both the de facto interdomain routing protocol BGP as well as next-generation network architecture SCION. Our work spans BGP attacks, BGP measurement, and SCION-based deployment, including the SBAS and SCIERA systems.

Papers

Each paper card keeps related deployment or artifact information directly alongside the citation.

Under Submission

BGP community measurement project

SIGCOMM '25

Scaling SCIERA: A Journey Through the Deployment of a Next-Generation Network

USENIX '22

Creating a Secure Underlay for the Internet

GitHub repo

CACM '21

Securing Internet Applications from Routing Attacks

Section 2 of 3

Anonymous Communications

Focus

Tor Traffic Analysis

Summary

We work on Tor, the anonymous communication system. We investigate Tor's resilience against passive adversaries in the network who can observe traffic metadata and perform traffic analysis to deanonymize users. We consider adversaries in the Internet backbone, such as AS-level observers who can see TCP/IP headers, and in wireless networks, such as parties inside the cellular backbone who can observe layer-2 cellular data.

Papers

Under Submission

Traffic correlation with layer-2 adversaries

PETS '25

RPKI-based Location-Unaware Tor Guard Relay Selection Algorithms

Section 3 of 3

Anomaly Detection

Focus

Network Security Detection Systems

Summary

We build anomaly detection frameworks using network and system logs across environments such as campus networks and enterprise networks.

Papers

ACSAC '23

Projects

DNS

Summary

Artifacts

Code

Reproducing Figures

Data Collection

Dataset

Included Records

Daily CSV Files

Available Dataset Releases

Key Findings

DNS HTTPS Records Deployment

ECH Deployment for DNS HTTPS–Supporting Domains

DNSSEC-Signed DNS HTTPS Records

Browser Support for DNS HTTPS Records

ECH Support in Browsers

BibTex

TLS/PKI

Summary

Artifacts

Dataset

Code

Key Findings

Certificate Chain Categorization & Length

Unnecessary Certificates in Delivered Chains

Shift Toward Let’s Encrypt & Public Issuers

BibTex

Summary

Artifacts

Classifying information in CN and SAN

Prerequisites

Code

How to Run

Dataset Availability

Key Findings

Prevalence of Mutual TLS

Certificate Anomalies

Information Revealed in CN/SAN

BibTex

Summary

Key Findings

Customization and Sharing of TLS Instances Across Vendors and Devices

Self-Management of IoT Server Certificates

BibTex

Others

Internet Routing

Summary

Papers

BGP community measurement project

Anonymous Communications

Summary

Papers

Traffic correlation with layer-2 adversaries

Anomaly Detection

Summary

Papers