Stefano Calzavara, R. Focardi, Matús Nemec, Alvise Rabitti, M. Squarcina
{"title":"Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem","authors":"Stefano Calzavara, R. Focardi, Matús Nemec, Alvise Rabitti, M. Squarcina","doi":"10.1109/SP.2019.00053","DOIUrl":null,"url":null,"abstract":"HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"133 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-05-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"18","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00053","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 18
Abstract
HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem.
HTTPS旨在通过提供加密保护层来保护Web上的通信,该保护层确保通信的机密性和完整性,并支持客户机/服务器身份验证。然而,HTTPS基于SSL/TLS协议套件,这些协议套件近年来已被证明容易受到各种攻击。这需要在服务器和浏览器中进行修复和缓解,从而产生了复杂的协议版本和实现,这使得人们不清楚哪些攻击在现代Web上仍然有效,以及它们对Web应用程序安全的影响是什么。在本文中,我们提出了由于加密漏洞导致的web应用程序不安全性的第一个系统定量评估。我们使用攻击树指定针对TLS的攻击条件,我们抓取Alexa Top 10k来评估这些问题对页面完整性,身份验证凭证和web跟踪的影响。我们的研究结果表明,一致数量的网站的安全性受到加密弱点的严重损害,在许多情况下,这些弱点是由于外部或相关域主机。这从经验上系统地证明了相对有限数量的可利用HTTPS漏洞是如何被网络生态系统的复杂性放大的。
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
