Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning

Jia, Yaoqi; Chen, Yue; Dong, Xinshu; Saxena, Prateek; Mao, Jian; Liang, Zhenkai

doi:10.1016/j.cose.2015.07.004

Cited by 37 publications

(24 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [28], the authors implement an IoT-based health prescription assistant and achieve user authentication and access control on their system. However, the data confidentiality is not considered during the transmission process [29]. Although they have reduced some communication and computation latency in their small-scale data experiment, it is still not enough for real world network with super large amount of data [30].…”

Section: Related Workmentioning

confidence: 99%

A Lightweight Fine-Grained Searchable Encryption Scheme in Fog-Based Healthcare IoT Networks

Jing

2019

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

For a smart healthcare system, a cloud based paradigm with numerous user terminals is to support and improve more reliable, convenient, and intelligent services. Considering the resource limitation of terminals and communication overhead in cloud paradigm, we propose a hybrid IoT-Fog-Cloud framework. In this framework, we deploy a geo-distributed fog layer at the edge of networks. The fogs can provide the local storage, sufficient processing power, and appropriate network functions. For the fog-based healthcare system, data confidentiality, access control, and secure searching over ciphertext are the key issues in sensitive data. Furthermore, how to adjust the storage and computing requirements to meet the limited resource is also a great challenge for data management. To address these, we design a lightweight keyword searchable encryption scheme with fine-grained access control for our proposed healthcare related IoT-Fog-Cloud framework. Through our design, the users can achieve a fast and efficient service by delegating a majority part of the workloads and storage requirements to fogs and the cloud without extra privacy leakage. We prove our scheme satisfies the security requirements and demonstrate the excellent efficiency through experimental evaluation.

show abstract

Section: Related Workmentioning

confidence: 99%

A Lightweight Fine-Grained Searchable Encryption Scheme in Fog-Based Healthcare IoT Networks

Jing

2019

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

show abstract

“…Particularly in case CORS is not used in conjunction with the integrity checks, these information leakages may allow an attacker to eventually guess authentication details [36], for instance. In addition to these three explicitly mentioned weaknesses, so-called browser cache poisoning may potentially circumvent the integrity checks [18]. As always, there may be also other already known or yet unknown weaknesses affecting the subresource integrity standard.…”

Section: Integrity Of Cross-origin Javascriptsmentioning

confidence: 99%

On the Integrity of Cross-Origin JavaScripts

Ruohonen

Salovaara

Leppänen

2018

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

The same-origin policy is a fundamental part of the Web. Despite the restrictions imposed by the policy, embedding of third-party JavaScript code is allowed and commonly used. Nothing is guaranteed about the integrity of such code. To tackle this deficiency, solutions such as the subresource integrity standard have been recently introduced. Given this background, this paper presents the first empirical study on the temporal integrity of cross-origin JavaScript code. According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites, (i) temporal integrity changes are relatively common; (ii) the adoption of the subresource integrity standard is still in its infancy; and (iii) it is possible to statistically predict whether a temporal integrity change is likely to occur. With these results and the accompanying discussion, the paper contributes to the ongoing attempts to better understand security and privacy in the current Web.

show abstract

“…Based on this information, the adversary is capable of determining who is the initiator/responder and further infer the exact video that the victim is watching. In addition, it turns out that BemTV does not guarantee the content integrity between peers in the network, which opens up possibilities for content pollution attacks [47,51,61]. Besides BemTV, we have also carried out inference attacks on another video streaming service called P2PSP [16].…”

Section: Inference Attacks and Real-world Examplesmentioning

confidence: 99%

Anonymity in Peer-assisted CDNs: Inference Attacks and Mitigation

Jia

Bai

Saxena

et al. 2016

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

Abstract:The peer-assisted CDN is a new content distribution paradigm supported by CDNs (e.g., Akamai), which enables clients to cache and distribute web content on behalf of a website. Peer-assisted CDNs bring significant bandwidth savings to website operators and reduce network latency for users. In this work, we show that the current designs of peerassisted CDNs expose clients to privacy-invasive attacks, enabling one client to infer the set of browsed resources of another client. To alleviate this, we propose an anonymous peerassisted CDN (APAC), which employs content delivery while providing initiator anonymity (i.e., hiding who sends the resource request) and responder anonymity (i.e., hiding who responds to the request) for peers. APAC can be a web service, compatible with current browsers and requiring no client-side changes. Our anonymity analysis shows that our APAC design can preserve a higher level of anonymity than state-of-the-art peer-assisted CDNs. In addition, our evaluation demonstrates that APAC can achieve desired performance gains.

show abstract

Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning

Cited by 37 publications

References 22 publications

A Lightweight Fine-Grained Searchable Encryption Scheme in Fog-Based Healthcare IoT Networks

A Lightweight Fine-Grained Searchable Encryption Scheme in Fog-Based Healthcare IoT Networks

On the Integrity of Cross-Origin JavaScripts

Anonymity in Peer-assisted CDNs: Inference Attacks and Mitigation

Contact Info

Product

Resources

About