Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers

Luo, Meng; Laperdrix, Pierre; Honarmand, Nima; Nikiforakis, Nick

doi:10.14722/ndss.2019.23149

Cited by 23 publications

(23 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, XFO just supports three types of policies: DENY prevents all framing, SAMEORIGIN restricts framing to the same origin as the framed page, and ALLOW-FROM u restricts framing to a single URL u. Note that ALLOW-FROM is not even supported by all browsers (in particular Chrome and Safari), thus making XFO particularly problematic [22]. CSP, instead, may be used to allow framing from a list of arbitrarily many Web origins specified through source expressions.…”

Section: Csp For Framing Controlmentioning

confidence: 99%

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Roth

Barron

Calzavara

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Section: Csp For Framing Controlmentioning

confidence: 99%

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Roth

Barron

Calzavara

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

“…It is the misconfigured HTTP headers and the vulnerable response contents that are used for SCC attacks on secure traffic. Besides, the pervasiveness of inconsistencies among servers still affect some high profile websites [25,48,52]. Therefore, developers should pay more attention to the implementation details for security.…”

Section: Discussion 61 Root Causesmentioning

confidence: 99%

Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks

Zhang

Zheng

Shen

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

HTTPS is principally designed for secure end-to-end communication, which adds confidentiality and integrity to sensitive data transmission. While several man-in-the-middle attacks (e.g., SSL Stripping) are available to break the secured connections, state-ofthe-art security policies (e.g., HSTS) have significantly increased the cost of successful attacks. However, the TLS certificates shared by multiple domains make HTTPS hijacking attacks possible again. In this paper, we term the HTTPS MITM attacks based on the shared TLS certificates as HTTPS Context Confusion Attack (SCC Attack). Despite a known threat, it has not yet been studied thoroughly. We aim to fill this gap with an in-depth empirical assessment of SCC Attack. We find the attack can succeed even for servers that have deployed current best practice of security policies. By rerouting encrypted traffic to another flawed server that shares the TLS certificate, attackers can bypass the security practices, hijack the ongoing HTTPS connections, and subsequently launch additional attacks including phishing and payment hijacking. Particularly, vulnerable HTTP headers from a third-party server are exploitable for this attack, and it is possible to hijack an already-established secure connection. Through tests on popular websites, we find vulnerable subdomains under 126 apex domains in Alexa top 500 sites, including large vendors like Alibaba, JD, and Microsoft. Meanwhile, through a large-scale measurement, we find that TLS certificate sharing is prominent, which uncovers the high potential of such attacks, and we summarize the security dependencies among different parties. For responsible disclosure, we have reported the issues to affected vendors and received positive feedback. Our study sheds light on an influential attack surface of the HTTPS ecosystem and calls for proper mitigation against MITM attacks. CCS CONCEPTS • Security and privacy → Security services; Network security.

show abstract

“…The study of inconsistencies in Web security has primarily focused on analyzing bugs leading to different levels of protection across browsers. Notably, previous work focused on incoherent implementations of the SOP [30,29], broken support for security mechanisms in mobile browsers [17], and differing guarantees in clickjacking protection [7]. Other papers also studied the inconsistent deployment of HTTP headers between the desktop and the mobile version of the same site [18,37].…”

Section: Inconsistencies In Web Securitymentioning

confidence: 99%

Reining in the Web's Inconsistencies with Site Policy

Calzavara¹,

Urban²,

Tatang³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers

Cited by 23 publications

References 22 publications

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks

Reining in the Web's Inconsistencies with Site Policy

Contact Info

Product

Resources

About