Detecting and defeating advanced man-in-the-middle attacks against TLS

Hoz, Enrique de la; Cochrane, Gary; Moreira-Lemus, Jose Manuel; Paez-Reyes, Rafael; Marsa-Maestre, Iván; Alarcos, Bernardo

doi:10.1109/cycon.2014.6916404

Cited by 12 publications

(5 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The first time a browser interacts with such a device, the user will be warned that the presented certificate is not publicly signed and must accept this self-signed certificate. This creates an opportunity for a man-in-the-middle (MITM) attack (Conti et al, 2016;De La Hoz et al, 2014). The use of these self-signed certificates also decreases zero-trust metrics (Simpson, 2022).…”

Section: The Intranet Certification Problemmentioning

confidence: 99%

On The Zero-Trust Intranet Certification Problem

Botha-Badenhorst,

McDonald,

Barbour

et al. 2024

iccws

View full text Add to dashboard Cite

Securing corporate networks and ensuring the trustworthiness of network resources are critical security concerns for organisations in today's interconnected digital landscape. The zero-trust security model is an approach to designing and implementing ICT systems which prescribes that clients and servers cannot be trusted automatically, even when connected to networks traditionally considered trusted. The implementation of the zero-trust model within the corporate intranet requires a secure method to verify the identity of local servers. On the Internet, trust in the identity of public servers is established by well-known public Certificate Authorities (CAs), which issue digital certificates to securely identify servers. However, local intranet servers exist within the internal address space of the network. Consequently, it is impossible to naturally obtain digital certificates for these servers, validly signed by a public CA, without publicly disclosing sensitive information such as intranet server Domain Name System (DNS) records. This leaves organisations with the option of relying on endpoint management systems to install custom CA root certificates on all corporate browsers or, in some cases, ignoring the problem altogether. In this paper, we draw on practical experience in the deployment of cybersecurity devices in corporate intranets to formally define the intranet certification problem. We specify five requirements that a solution to this problem must satisfy. We then conduct a comprehensive review of existing candidate solutions and academic research relevant to the intranet certification problem. Specifically, existing ICT systems for public key infrastructure and endpoint management are identified and evaluated with respect to their ability to meet the stated requirements for solving the intranet certification problem, as well as their cost. Our study reveals that solutions that meet the technical and security requirements of the intranet certification problem are beyond the reach of smaller private sector companies and public sector organisations in underdeveloped and emerging economies. The high cost and technical expertise required for their implementation and management render these solutions impractical. Consequently, by relying on servers with self-signed certificates, these entities inadvertently leave their servers susceptible to impersonation, information theft, and unauthorised resource access, thus violating the fundamental principles of the zero-trust model. We conclude that a gap exists for a simple, cost-effective, and easily managed solution to the intranet certification problem.

show abstract

Section: The Intranet Certification Problemmentioning

confidence: 99%

On The Zero-Trust Intranet Certification Problem

Botha-Badenhorst,

McDonald,

Barbour

et al. 2024

iccws

View full text Add to dashboard Cite

show abstract

“…MITM (Man In The Middle): A classic attack method consists in creating its access point [27], and forging the gateway to access a requesting server. When an attacker secretly relays and, if necessary, modifies the connection between two objects that believe they interact directly with each other, it is a method to compromise a communication channel by connecting to the channel between contractors, followed by an intervention the transmission protocol ( Figure 4).…”

Section: Possibilities Of Attackmentioning

confidence: 99%

H-Rotation: Secure Storage and Retrieval of Passphrases on the Authentication Process

Touil¹,

Akkad²,

Satori³

2020

IJSSE

View full text Add to dashboard Cite

Passwords/passphrases can be either system generated or user-selected. A combination of both approaches is also possible—encryption created by the system and assigned to the user by the information system meeting the policy requirements. Policy rules can be designed to increase security and usability factors, such as information storage and retrieval. This paper proposes an algorithm dedicated to the security of passphrases in an online authentication, so the passphrase entered will be stored in a remote database. Through an SHA-3 hash function, the system must hash the pass phase. Before storage, the system must apply random rotations on the already generated HASH while eliminating any traceability performed on the different transactions performed. To prevent the hacker from using them recurrently if he wants to attack our database. Then the system must recover the real HASH and then the passphrase based on the data provided by the user in the form of codes.

show abstract

“…This key will be used by the website coordinator to encrypt the carrier image's symmetric key before it is emailed to the requestor. The use of a video call interview is intended to defeat any so-called Man-in-the-Middle (MITM) attacks (see de la Hoz et al (2014)) during public key transmission from the requestor to the website coordinator and works by verifying that the apparent requestor is not in reality an attacker masquerading as the legitimate requestor. In order to do this, the website coordinator compares the face of the person on the video call with known photographs of the requestor, and asks a number of questions to verify that the person in the video call is not an attacker impersonating the requestor.…”

Section: Security Protocolsmentioning

confidence: 99%

Automatic Acquisition and Sustainable Use of Political-Ecological Data

Haas

2018

Data Science Journal

View full text Add to dashboard Cite

The sustainable management of anthropogenically-impacted ecosystems will require ongoing monitoring and advocacy by people across the globe. To this end, automatic methods are developed herein for acquiring several types of such political-ecological data. On the political side, a method is developed for gathering news articles about human actions that affect the ecosystem along with a method for identifying themes in social media that concern the consumption of an ecosystem's products. On the ecosystem side, a method is derived for estimating wildlife abundance from purchasable high-resolution satellite images. A simple website architecture is described for holding this data and enabling its use in developing sustainable conservation policies. A rhino conservation website illustrates this architecture. A fundamental contradiction between the desire for open data on the locations of endangered flora and fauna versus the need to hide these locations from poachers is addressed through a new security protocol that enables the secure distribution of sensitive ecosystem data to trusted data consumers.

show abstract

Detecting and defeating advanced man-in-the-middle attacks against TLS

Cited by 12 publications

References 15 publications

On The Zero-Trust Intranet Certification Problem

On The Zero-Trust Intranet Certification Problem

H-Rotation: Secure Storage and Retrieval of Passphrases on the Authentication Process

Automatic Acquisition and Sustainable Use of Political-Ecological Data

Contact Info

Product

Resources

About