Upgrading HTTPS in mid-air: An Empirical Study of Strict Transport Security and Key Pinning

Kranch, Michael J.; Bonneau, Joseph

doi:10.14722/ndss.2015.23162

Cited by 67 publications

(57 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Just to mention a few relevant works, previous evaluations focused on other aspects of web security, like remote JavaScript inclusion [19], DOM-based XSS [15], mixed content websites [7], authentication cookies [6] and HSTS [14].…”

Section: Large-scale Analysis Of the Webmentioning

confidence: 99%

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this paper we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of few notable issues, but unfortunately there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

show abstract

Section: Large-scale Analysis Of the Webmentioning

confidence: 99%

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

show abstract

“…Kranch and Bonneau [34] studied how HSTS and key pinning are deployed in practice, and found that even such simple proposals to enhance the HTTPS security are challenging to implement. We note that key pinning is overridden by Chrome 47.0 when the server certificate is signed by an imported root certificate.…”

Section: Recommendations For Safer Tls Proxyingmentioning

confidence: 99%

Killed by Proxy: Analyzing Client-end TLS Interception Software

Carnavalet¹,

Mannan²

2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the middle of the host's communications. We set out to analyze such proxies as there are known problems in other (more matured) TLS processing engines, such as browsers and common TLS libraries. Compared to regular proxies, client-end TLS proxies impose several unique constraints, and must be analyzed for additional attack vectors; e.g., proxies may trust their own root certificates for externally-delivered content and rely on a custom trusted CA store (bypassing OS/browser stores). Covering existing and new attack vectors, we design an integrated framework to analyze such client-end TLS proxies. Using the framework, we perform a thorough analysis of eight antivirus and four parentalcontrol applications for Windows that act as TLS proxies, along with two additional products that only import a root certificate. Our systematic analysis uncovered that several of these tools severely affect TLS security on their host machines. In particular, we found that four products are vulnerable to full server impersonation under an active man-in-the-middle (MITM) attack out-of-the-box, and two more if TLS filtering is enabled. Several of these tools also mislead browsers into believing that a TLS connection is more secure than it actually is, by e.g., artificially upgrading a server's TLS version at the client. Our work is intended to highlight new risks introduced by TLS interception tools, which are possibly used by millions of users.

show abstract

“…Finally, Bates et al [11] introduce CERTSHIM, a tool for certificate verification retrofitting that is dynamically hooked to SSL and data transport libraries, while Kranch and Bonneau [25] reveal that cookies can be leaked from domains that implement key pinning to malicious scripts in HTTP domains they load resources from.…”

Section: Related Workmentioning

confidence: 99%

Danger is my middle name

Onwuzurike

Cristofaro

2015

Proceedings of the 8th ACM Conference on Security &Amp; Privacy in Wireless and Mobile Networks

View full text Add to dashboard Cite

This paper presents a measurement study of information leakage and SSL vulnerabilities in popular Android apps. We perform static and dynamic analysis on 100 apps, downloaded at least 10M times, that request full network access. Our experiments show that, although prior work has drawn a lot of attention to SSL implementations on mobile platforms, several popular apps (32/100) accept all certificates and all hostnames, and four actually transmit sensitive data unencrypted. We set up an experimental testbed simulating man-in-the-middle attacks and find that many apps (up to 91% when the adversary has a certificate installed on the victim's device) are vulnerable, allowing the attacker to access sensitive information, including credentials, files, personal details, and credit card numbers. Finally, we provide a few recommendations to app developers and highlight several open research problems.

show abstract

Upgrading HTTPS in mid-air: An Empirical Study of Strict Transport Security and Key Pinning

Cited by 67 publications

References 47 publications

Semantics-Based Analysis of Content Security Policy Deployment

Semantics-Based Analysis of Content Security Policy Deployment

Killed by Proxy: Analyzing Client-end TLS Interception Software

Danger is my middle name

Contact Info

Product

Resources

About