Keyjacking: The surprising insecurity of client-side SSL

Computers and Security

Volumn 24, Issue 2, 2005, Pages 109-123

  Marchesini, John ^a   Smith, S W ^a   Zhao, Meiyuan ^a  

^a Dartmouth College   (United States)

Author keywords

API hijacking; Application security; Authentication; PKI; Spoofing; SSL; Usability; USB tokens

Indexed keywords

CRYPTOGRAPHY; DATA TRANSFER; DECISION MAKING; INFORMATION SERVICES; INFORMATION TECHNOLOGY; RISK ASSESSMENT; SERVERS; WORLD WIDE WEB;

PUBLIC-KEY CERTIFICATES; PUBLIC-KEY CRYPTOGRAPHY; SERVER-SIDE AUTHENTICATION; WEB INTERACTION;

SECURITY OF DATA;

EID: 17844381888     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2004.06.014     Document Type: Article

References (35)

1. R. Anderson Why cryptosystems fail Communications of the ACM November 1994 32 40
2. D.B. Berkeley http://www.sleepycat.com
3. Buyer's guide - Web portal security solution http://www.entrust.com/ resources/pdf/buyers_guide.pdf November 2001
4. E. Felten, D. Balfanz, D. Dean, and D. Wallach Web spoofing: an Internet con game 20th National information systems security conference 1997
5. K. Fu, E. Sit, K. Smith, and N. Feamster Dos and don'ts of client authentication on the Web USENIX Security 2001
6. P. Gutmann How to recover private keys for Microsoft Internet Explorer, Internet Information Server, Outlook Express, and many others - or - where do your encryption keys want to go today? www.cs.auckland.ac.nz/∼pgut001/pubs/ breakms.txt
7. J. Hamilton CGI programming 101 www.CGI101.com 1999
8. S. Henson Netscape certificate database info http://www.drh-consultancy. demon.co.uk/cert7.html
9. S. Henson Netscape key database format http://www.drh-consultancy.demon. co.uk/key3.html
10. Huy P, Lewis G, Liu M. Beyond the black box: a case study in c to java conversion and product extensibility. Technical report, Carnegie Mellon Software Engineering Institute; 2001.
11. Implementing web site client authentication using digital IDs and the Netscape Enterprise Server 2.0 http://www.verisign.com/repository/clientauth/ ent_ig.htm#clientauth
12. Information about the clear SSL state option in Windows XP http://support.microsoft.com/?kbid=290345 Microsoft Knowledge Base Article - 290345
13. Installing DoD PKI Class 3 Certificates into Windows 2000 for use with Microsoft products; May 2003.
14. K. Kain, S.W. Smith, and R. Asokan Digital signatures and electronic documents: a cautionary tale Advanced communications and multimedia security 2002 Kluwer Academic Publishers
15. S. Lawrence, and P. Leach User agent authentication forms http://www.w3.org/TR/NOTE-authentform February 1999
16. Microsoft. Net Passport http://www.passport.net/Consumer/default.asp
17. Microsoft authenticode developer certificates http://www.thawte.com/ getinfo/products/devel/msauthenticode.html
18. Mozilla NSS Security Tools http://www.mozilla.org
19. Netscape form signing http://developer.netscape.com/tech/security/ formsign/formsign.html 1999
20. Netscape Communications Corp Command-line tools guide: netscape certificate management system 4.5 ed. October 2001
21. Niederst J. Web design in a nutshell (2/E). O'Reilly; 2001.
22. Offline NT password & registry editor http://home.eunet.no/pnordahl/ ntpasswd
23. OS Security, Inc. Round one: "DLL Proxy" attack easily hijacks SSL from Internet Explorer http://www.securityfocus.com/archive/1/353203/2004- 02-09/2004-02-15/2
24. Personal certificates http://www.thawte.com/html/COMMUNITY/personal/
25. M. Pietrek Under The Hood Microsoft Systems Journal February 2000
26. B. Pinkas, and T. Sander Securing passwords against dictionary attacks ACM Computer and Communications Security 2002
27. Preventing HTML form tampering http://advosys.ca/papers/form-tampering. html August 2001
28. Pubcookie: open-source Software for intra-institutional Web authentication http://www.washington.edu/pubcookie/
29. L. Stein, and J. Stewart The world wide web security FAQ http://www.w3.org/Security/Faq/ February 2002
30. Unpatched IE security holes http://www.pivx.com/larholm/unpatched/
31. A. Whitten, and J.D. Tygar Why Johnny can't encrypt: a usability evaluation of PGP 5.0 USENIX Security 1999
32. Windows prompts you for your password multiple times when you use outlook if strong private key protection is set to high http://support.microsoft.com/? kbid=821574 Microsoft Knowledge Base Article - 821574
33. E. Ye, and S.W. Smith Trusted paths for browsers USENIX Security 2002
34. Ye E, Yuan Y, Smith SW. Web spoofing revisited: SSL and beyond. Technical report TR2002-417, Department of Computer Science, Dartmouth College; 2002.
35. K.-P. Yee User interaction design for secure systems http://zesty.ca/sid/ uidss-may-28.pdf