Experience

• January 2023—Present, Graduate Student Researcher @ Georgia Tech, Atlanta, USA
• June 2023—August 2023, Research Intern @ CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
• February 2022—July 2022, Research Intern (Bachelor Thesis) @ IMDEA Software Institute, Madrid, Spain
• May 2021—August 2021, Cybersecurity Visiting Researcher @ Global Cybersecurity Institute (Rochester Institute of Technology), Rochester, USA
• May 2021—July 2021, Research Intern (VAPT) @ C3i Center, IIT Kanpur, Kanpur, India

News

• August 2025: One paper accepted at ACM CCS 2025. Congratulations to Jannis
• July 2025: One paper rejected at IEEE S&P 2026.
• June 2025: One paper accepted at USENIX Security 2025. Congratulations to Qinge Xie
• May 2025: Received a Travel Fellowship to attend SuRI 2025
• March 2025: One paper rejected at USENIX Security 2025.
• September 2024: One paper rejected at IEEE S&P 2025.
• July 2024: One paper accepted at IMC 2024.
• January 2024: One paper rejected at WWW 2024.
• September 2023: One paper rejected at NDSS 2024.
• August 2023: Finished my Summer research internship at CISPA Helmholtz Center for Information Security. More to follow
• February 2023: Received a Student Travel Grant to attend NDSS 2023
• January 2023: One paper rejected at MadWeb Workshop (NDSS 2023)
• August 2022: Started my masters at Georgia Tech
• July 2022: Finished my Bachelors Thesis internship at IMDEA Software Institute

Selected Publications

• Crawling in the Deep: Evaluating Web Crawling Configurations for Web Privacy Measurements. Under submission
  Anonymous Authors
  
  To be added soon
• Head(er)s Up! Detecting Security Header Inconsistencies in Browsers. ACM CCS 2025
  Jannis Rautenstrauch, Trung Tin Nguyen, Karthik Ramakrishnan, and Ben Stock
  
  paper

  In the modern Web, security headers are of the utmost importance for websites to provide protection against various attacks, such as Cross-Site Scripting, Clickjacking, and Cross-Site Leaks. As each security header uses a different syntax and has unique processing rules, correctly implementing them is a complex task for both browser and website developers. Inconsistency in browser behavior related to security headers harms websites as their security depends on their users’ browsers. At the same time, compatibility issues may deter developers from deploying such headers in the first place.
  In this work, we performed a differential evaluation of the security header parsing and enforcement behavior in desktop and mobile browsers to uncover problematic browser differences. We systematically ran 177,146 tests covering 16 security-relevant headers multiple times in 16 browser configurations covering over 97% of the browser engine market share. We identified 5,606 (3.16%) tests that behave inconsistently across browsers. Our subsequent analysis revealed 42 root causes, highlighting the prevalence of implementation issues. 31 of these root causes were yet unknown and resulted in 36 bug reports against the affected browsers and specifications. Many of our reports have already resulted in fixes improving web consistency and users’ security. To foster open science and enable browser vendors to continuously test their security header implementations, we open-source our test framework.

• Evaluating Privacy Policies under Modern Privacy Laws At Scale: An LLM-Based Automated Approach USENIX Security Symposium 2025
  Qinge Xie, Karthik Ramakrishnan, and Frank Li
  
  paper

  Website privacy policies detail an online service’s information practices, including how they handle user data and rights. For many sites, these disclosures are now necessitated by a growing set of privacy regulations, such as GDPR and multiple US state laws, offering visibility into privacy practices that are often not publicly observable. Motivated by this visibility, prior work has explored techniques for automated analysis of privacy policies and characterized specific aspects of realworld policies on a larger scale. However, existing approaches are constrained in the privacy practices they evaluate, as they rely upon rule-based methods or supervised classifiers, and many predate the prominent privacy laws now enacted that drastically shape privacy disclosures. Thus, we lack a comprehensive understanding of modern website privacy practices disclosed through privacy policies.
  In this work, we seek to close this gap by providing a systematic and comprehensive evaluation of website privacy policies at scale. We first systematize the privacy practices discussed by 10 notable privacy regulations currently in effect in the European Union and the US, identifying 34 distinct clauses on privacy practices across 4 overarching themes. We then develop and evaluate an LLM-based approach for assessing these clauses in privacy policies, providing a more accurate, comprehensive, and flexible analysis compared to prior techniques. Finally, we collect privacy policies from over 100K websites, and apply our LLM method to a subset of sites to investigate in-depth the privacy practices of websites today. Ultimately, our work supports broader investigations into web privacy practices moving forward.

• Whatcha Lookin' At: Investigating Third-Party Web Content in Popular Android Apps. ACM Internet Measurement Conference 2024
  Dhruv Kuchhal, Karthik Ramakrishnan, and Frank Li
  
  paper

  Over 65% of web traffic originates from mobile devices. However, much of this traffic is not from mobile web browsers but rather from mobile apps displaying web content. Android’s WebView has been a common way for apps to display web content, but it entails security and privacy concerns, especially for third-party content. Custom Tabs (CTs) are a more recent and recommended alternative. In this paper, we conduct a large-scale empirical study to examine if the top ∼146.5K Android apps use WebViews and CTs in a manner that aligns with user security and privacy considerations. Our measurements reveal that most apps still use WebViews, particularly to display ads, with only ∼20% using CTs. We also find that while some popular SDKs have migrated to CTs, others (e.g., financial services) benefiting from CT’s properties have not yet done so. Through semi-manual analysis of the top 1K apps, we uncover a handful of apps that use WebViews to show arbitrary web content within their app while modifying the web content behavior. Ultimately, our work seeks to improve our understanding of how mobile apps interact with third-party web content and shed light on real-world security and privacy implications.

More on my scholar profile.

Contact

You can also schedule a 1-on-1 meeting with me using the following link.