CALZAVARA, Stefano, Riccardo FOCARDI, Matúš NEMEC, Alvise RABITTI and Marco SQUARCINA. Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. Online. In Proceedings of the 40th IEEE Symposium on Security and Privacy. San Fransisco, CA, US: IEEE, 2019, p. 281-298. ISBN 978-1-5386-6660-9. Available from: https://dx.doi.org/10.1109/SP.2019.00053.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
Authors CALZAVARA, Stefano (380 Italy), Riccardo FOCARDI (380 Italy), Matúš NEMEC (703 Slovakia, belonging to the institution), Alvise RABITTI (380 Italy) and Marco SQUARCINA (380 Italy).
Edition San Fransisco, CA, US, Proceedings of the 40th IEEE Symposium on Security and Privacy, p. 281-298, 18 pp. 2019.
Publisher IEEE
Other information
Original language English
Type of outcome Proceedings paper
Field of Study 10201 Computer sciences, information science, bioinformatics
Country of publisher United States of America
Confidentiality degree is not subject to a state or trade secret
Publication form electronic version available online
WWW URL
RIV identification code RIV/00216224:14330/19:00107250
Organization unit Faculty of Informatics
ISBN 978-1-5386-6660-9
ISSN 1081-6011
Doi http://dx.doi.org/10.1109/SP.2019.00053
UT WoS 000510006100017
Keywords in English TLS; HTTPS; security vulnerability; Internet scan; Web security
Tags core_A, firank_1
Tags International impact, Reviewed
Changed by Changed by: RNDr. Pavel Šmerk, Ph.D., učo 3880. Changed: 28/4/2020 07:53.
Abstract
HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem.
Links
GA16-08565S, research and development projectName: Rozvoj kryptoanalytických metod prostřednictvím evolučních výpočtů
Investor: Czech Science Foundation
MUNI/A/1040/2018, interní kód MUName: Zapojení studentů Fakulty informatiky do mezinárodní vědecké komunity 19 (Acronym: SKOMU)
Investor: Masaryk University, Category A
PrintDisplayed: 9/10/2024 19:49