Postcards from the Post-HTTP World: Amplification of HTTPS
Vulnerabilities in the Web Ecosystem

D 2019

Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem

CALZAVARA, Stefano; Riccardo FOCARDI; Matúš NEMEC; Alvise RABITTI; Marco SQUARCINA et. al.

Základní údaje

Originální název

Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem

Autoři

CALZAVARA, Stefano; Riccardo FOCARDI; Matúš NEMEC; Alvise RABITTI a Marco SQUARCINA

Vydání

San Fransisco, CA, US, Proceedings of the 40th IEEE Symposium on Security and Privacy, od s. 281-298, 18 s. 2019

Nakladatel

IEEE

Další údaje

Jazyk

angličtina

Typ výsledku

Stať ve sborníku

Obor

10201 Computer sciences, information science, bioinformatics

Stát vydavatele

Spojené státy

Utajení

není předmětem státního či obchodního tajemství

Forma vydání

elektronická verze "online"

Odkazy

URL

Kód RIV

RIV/00216224:14330/19:00107250

Organizační jednotka

Fakulta informatiky

ISBN

978-1-5386-6660-9

ISSN

DOI

https://doi.org/10.1109/SP.2019.00053

UT WoS

000510006100017

EID Scopus

2-s2.0-85071720539

Klíčová slova anglicky

TLS; HTTPS; security vulnerability; Internet scan; Web security

Štítky

core_A, firank_1

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 28. 4. 2020 07:53, RNDr. Pavel Šmerk, Ph.D.

Anotace

V originále

HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem.

Návaznosti

GA16-08565S, projekt VaV

Název: Rozvoj kryptoanalytických metod prostřednictvím evolučních výpočtů

Investor: Grantová agentura ČR, Advancing cryptanalytic methods through evolutionary computing

MUNI/A/1040/2018, interní kód MU

Název: Zapojení studentů Fakulty informatiky do mezinárodní vědecké komunity 19 (Akronym: SKOMU)

Investor: Masarykova univerzita, Zapojení studentů Fakulty informatiky do mezinárodní vědecké komunity 19, DO R. 2020_Kategorie A - Specifický výzkum - Studentské výzkumné projekty

Citovat

CALZAVARA, Stefano; Riccardo FOCARDI; Matúš NEMEC; Alvise RABITTI a Marco SQUARCINA. Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. Online. In Proceedings of the 40th IEEE Symposium on Security and Privacy. San Fransisco, CA, US: IEEE, 2019, s. 281-298. ISBN 978-1-5386-6660-9. Dostupné z: https://doi.org/10.1109/SP.2019.00053.

@inproceedings{1492311,
   author = {Calzavara, Stefano and Focardi, Riccardo and Nemec, Matúš and Rabitti, Alvise and Squarcina, Marco},
   address = {San Fransisco, CA, US},
   booktitle = {Proceedings of the 40th IEEE Symposium on Security and Privacy},
   doi = {https://doi.org/10.1109/SP.2019.00053},
   keywords = {TLS; HTTPS; security vulnerability; Internet scan; Web security},
   howpublished = {elektronická verze "online"},
   language = {eng},
   location = {San Fransisco, CA, US},
   isbn = {978-1-5386-6660-9},
   pages = {281-298},
   publisher = {IEEE},
   title = {Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem},
   url = {https://www.computer.org/csdl/proceedings-article/sp/2019/666000a948/19skg7hRywM},
   year = {2019}
}

TY  - CONF
ID  - 1492311
AU  - Calzavara, Stefano - Focardi, Riccardo - Nemec, Matúš - Rabitti, Alvise - Squarcina, Marco
PY  - 2019
TI  - Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
PB  - IEEE
CY  - San Fransisco, CA, US
SN  - 9781538666609
KW  - TLS
KW  - HTTPS
KW  - security vulnerability
KW  - Internet scan
KW  - Web security
UR  - https://www.computer.org/csdl/proceedings-article/sp/2019/666000a948/19skg7hRywM
L2  - https://www.computer.org/csdl/proceedings-article/sp/2019/666000a948/19skg7hRywM
N2  - HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem.
ER  -

CALZAVARA, Stefano; Riccardo FOCARDI; Matúš NEMEC; Alvise RABITTI a Marco SQUARCINA. Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. Online. In \textit{Proceedings of the 40th IEEE Symposium on Security and Privacy}. San Fransisco, CA, US: IEEE, 2019, s.~281-298. ISBN~978-1-5386-6660-9. Dostupné z: https://doi.org/10.1109/SP.2019.00053.

Přehled o publikaci