Trust no one else: Detecting MITM attacks against SSL/TLS without third-parties

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 7459 LNCS, Issue , 2012, Pages 199-216

  Dacosta, Italo ^a   Ahamad, Mustaque ^a   Traynor, Patrick ^a  

^a GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CERTIFICATE AUTHORITY; COMPUTATION TIME; DEPLOYMENT COSTS; EXPERIMENTAL ANALYSIS; MAN IN THE MIDDLES (MITM); MOBILE PLATFORM; SECURE COMMUNICATIONS; SERVER AUTHENTICATION; SERVER PERFORMANCE; SSL/TLS; TRUSTED AUTHORITIES; USER AUTHENTICATION; USER EXPERIENCE; WEB APPLICATION;

INTERNET PROTOCOLS; SECURITY OF DATA; SECURITY SYSTEMS;

AUTHENTICATION;

EID: 84865586926     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-33167-1_12     Document Type: Conference Paper

References (40)

1. Certificate Patrol (2010), http://patrol.psyced.org/
2. Adams, C., Farrell, S.: RFC 2510 - Internet X.509 Public Key Infrastructure Certificate Management Protocols (1999), https://tools.ietf.org/ html/rfc2510
3. Alicherry, M., Keromytis, A.D.: DoubleCheck: Multi-path Verification Against Man-in-the-Middle Attacks. In: Proceedings of the IEEE Symposium on Computers and Communications (2009)
4. Altman, J., Williams, N., Zhu, L.: RFC 5929 - Channel Bindings for TLS (2010), http://tools.ietf.org/html/rfc5929
5. AT&T: Network Averages (2012), http://ipnetwork.bgtmo.ip.att.net/pws/ averages.html
6. Blanchet, B.: ProVerif: Cryptographic Protocol Verifier in the Formal Model, http://www.proverif.ens.fr/
7. BlueKrypt: Cryptographic Key Length Recommendation (2012), http://www.keylength.com/
8. Boyko, V., MacKenzie, P.D., Patel, S.: Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156-171. Springer, Heidelberg (2000)
9. Brusilovsky, A., Faynberg, I., Zeltsan, Z., Patel, S.: RFC 5683 - Password-Authenticated Key (PAK) Diffie-Hellman Exchange (2010), http://tools.ietf.org/html/rfc5683
10. Dierks, T., Rescorla, E.: RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 (2008), http://tools.ietf.org/html/rfc5246
11. Eckersley, P., Burns, J.: The (Decentralized) SSL Observatory. In: USENIX Security Symposium (2011) (Invited Talk)
12. Electronic Frontier Foundation (EFF): The Sovereign Keys Project (2011), https://www.eff.org/sovereign-keys
13. Ellison, C., Schneier, B.: Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure. Computer Security Journal 16(1), 1-7 (2000)
14. Engert, K.: MECAI (2011), http://kuix.de/mecai/
15. Engler, J., Karlof, C., Shi, E., Song, D.: Is It Too Late for PAKE? In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop (2009)
16. Evans, C., Palmer, C.: Certificate Pinning Extension for HSTS (2011), http://www.ietf.org/mail-archive/web/websec/current/pdfnSTRd9kYcY.pdf
17. Freier, A., Karlton, P., Kocher, P.: RFC 6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0 (2011), https://tools.ietf.org/html/rfc6101
18. Goodin, D.: Web Authentication Authority Suffers Security Breach (2011), http://www.theregister.co.uk/2011/06/21/startssl-security-breach/
19. Gutman, P.: PKI: It's Not Dead, Just Resting. Computer 35(8), 41-49 (2002)
20. Hoffman, P., Schlyter, J.: IETF Internet-Draft: Using Secure DNS to Associate Certificates with Domain Names For TLS (draft-ietf-dane-protocol-06) (2011), http://tools.ietf.org/html/draft-ietf-dane-protocol-06
21. International Telecommunication Union: ITU-T Recommendation X.1035: Password-Authenticated Key Exchange (PAK) Protocol (2007), http://www.itu.int/ rec/T-REC-X.1035/en
22. Keizer, G.: Hackers May Have Stolen Over 200 SSL Certificates (2011), https://www.computerworld.com/s/article/9219663/Hackers-may-have-stolen-over- 200-SSL-certificates
23. Kirk, J.: KPN Stops Issuing SSL Certificates After Possible Breach (2011), https://www.pcworld.com/businesscenter/article/243275/kpn-stops-issuing- ssl-certificates-after-possible-breach.html
24. Langley, A.: Revocation Doesn't Work (2011), http://www.imperialviolet. org/2011/03/18/revocation.html
25. Laurie, B., Langley, A.: Certificate Authority Transparency and Auditability (2011), http://www.links.org/files/ CertificateAuthorityTransparencyandAuditability.pdf
26. Leyden, J.: Inside 'Operation Black Tulip': DigiNotar Hack Analysed (2011), http://www.theregister.co.uk/2011/09/06/diginotar-audit-damning-fail/
27. Leyden, J.: Trustwave Admits Crafting SSL Snooping Certificate (2012), http://www.theregister.co.uk/2012/02/09/tustwave-disavows-mitm-digital-cert/
28. MacKenzie, P.: The PAK suite: Protocols for Password-Authenticated Key Exchange. In: IEEE P1363.2: Password-Based Public-Key Cryptography (2002)
29. MacKenzie, P.D., Patel, S.: Hard Bits of the Discrete Log with Applications to Password Authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 209-226. Springer, Heidelberg (2005)
30. Marlinspike, M.: Convergence (2011), http://convergence.io/
31. Oiwa, Y., Takagi, H., Watanabe, H., Suzuki, H.: PAKE-based Mutual HTTP Authentication for Preventing Phishing Attacks (Poster). In: Proceedings of the International Conference on World Wide Web, WWW (2009)
32. Oppliger, R., Hauser, R., Basin, D.: SSL/TLS Session-Aware User Authentication. Computer 41(3), 59-65 (2008)
33. Parno, B., Kuo, C., Perrig, A.: Phoolproof Phishing Prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1-19. Springer, Heidelberg (2006)
34. Richmond, R.: An Attack Sheds Light on Internet Security Holes (2011), http://www.nytimes.com/2011/04/07/technology/07hack.html
35. Singel, R.: Law Enforcement Appliance Subverts SSL (2010), http://www.wired.com/threatlevel/2010/03/packet-forensics/
36. Soghoian, C., Stamm, S.: Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250-259. Springer, Heidelberg (2012)
37. Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication (2007), http://tools.ietf.org/html/rfc5054
38. Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-path Probing. In: Proceedings of the USENIX Annual Technical Conference, ATC (2008)
39. Williams, N.: RFC 5056 - On the Use of Channel Bindings to Secure Channels (2007), http://tools.ietf.org/html/rfc5056
40. Wu, T.: The Secure Remote Password Protocol. In: Proceedings of the Network and Distributed System Security Symposium (1998)