On the effective prevention of TLS man-in-the-middle attacks in web applications

Proceedings of the 23rd USENIX Security Symposium

Volumn , Issue , 2014, Pages 671-686

  Karapanos, Nikolaos ^a   Capkun, Srdjan ^a  

^a ETH ZURICH   (Switzerland)

Author keywords

[No Author keywords available]

Indexed keywords

NETWORK SECURITY; SEEBECK EFFECT;

CLIENT AUTHENTICATION; ID-BASED AUTHENTICATIONS; MAN IN THE MIDDLE ATTACKS; MAN IN THE MIDDLES (MITM); SERVER AUTHENTICATION; WEB APPLICATION; WEB AUTHENTICATION; WEB INFRASTRUCTURE;

AUTHENTICATION;

EID: 84940393598     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (52)

1. The Heartbleed Bug. http://heartbleed.com/.
2. ADKINS, H. An update on attempted man-in-the-middle attacks. http://googleonlinesecurity.blogspot.ch/2011/08/update-on-attempted-man-in-middle.html.
3. AUBOURG, J., SONG, J., STEEN, H. R. M., and VAN KESTEREN, A. XML Http Request (W3C Working Draft). http://www.w3.org/TR/2012/WD-XMLHttpRequest-20121206/.
4. BALFANZ, D., and HAMILTON, R. Transport Layer Security (TLS) Channel IDs, v01 (IETF Internet-Draf). http://tools.ietf.org/html/draft-balfanz-tls-channelid-01, 2013.
5. BARTH, A. The web origin concept (RFC 6454). http://tools.ietf.org/html/rfc6454, 2011.
6. BELSHE, M., and PEON, R. SPDY protocol (IETF InternetDraf). http://tools.ietf.org/html/draft-mbelshe-httpbis-spdy-00, 2012.
7. BHARGAVAN, K., DELIGNAT-LAVAUD, A., FOURNET, C., PIRONTI, A., and STRUB, P.-Y. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In IEEE SP (Oakland), 2014.
8. BIRGISSON, A., and POLITZ., J. G., ERLINGSSON, U., TALY, A., VRABLE, M., and LENTCZNER, M. Macaroons: Cookies with contextual caveats for decentralized authorization in the Cloud. In NDSS, 2014.
9. BRIGHT, P. Independent Iranian Hacker Claims Responsibility for Comodo Hack. http://www.wired.com/2011/03/comodo_hack/.
10. CLARK, J., and VAN OORSCHOT, P. C. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In IEEE SP (Oakland), 2013.
11. COATES, M. Revoking trust in two TurkTrust certificates. https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/.
12. CZESKIS, A., and BALFANZ, D. Protected login. In USEC, 2012.
13. CZESKIS, A., DIETZ, M., KOHNO, T., WALLACH, D., and BALFANZ, D. Strengthening user authentication through opportunistic cryptographic identity assertions. In CCS, 2012.
14. DIERKS, T., and RESCORLA, E. The Transport Layer Security (TLS) protocol, version 1.2 (RFC 5246). http://tools.ietf.org/html/rfc5246, 2008.
15. DIETZ, M., CZESKIS, A., BALFANZ, D., and WALLACH, D. S. Origin-bound certificates: A fresh approach to strong client authentication for the web. In USENIX Security, 2012.
16. DIETZ, M., and WALLACH, D. S. Hardening Persona - Improving federated web login. In NDSS, 2014.
17. DRIELSMA, P. H., MÖDERSHEIM, S., VIGANÒ, L., and BASIN, D. Formalizing and analyzing sender invariance. In FAST, 2006.
18. ECKERSLEY, P. A Syrian MITM attack against Facebook. https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook.
19. ECKERSLEY, P. The Sovereign Keys project. https://www.eff.org/sovereign-keys.
20. EVANS, C., PALMER, C., and SLEEVI, R. Public key pinning extension for HTTP (IETF Internet-Draf). http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09, 2013.
21. FETTE, I., and MELNIKOV, A. The WebSocket protocol (RFC 6455). http://tools.ietf.org/html/rfc6455, 2011.
22. FIDO ALLIANCE. Universal 2nd Factor (U2F) overview, Version 1.0 (review draft). http://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-20140209.pdf.
23. FIELDING, R., GETTYS, J., MOGUL, J., FRYSTYK, H., MAS-INTER, L., LEACH, P., and BERNERS-LEE, T. Hypertext Transfer Protocol - HTTP/1.1 (RFC 2616). http://tools.ietf.org/html/rfc2616, 1999.
24. GOOGLE DEVELOPERS. Minimize request overhead. https://developers.google.com/speed/docs/best-practices/request.
25. GOOGLE DEVELOPERS. Optimize caching. https://developers.google.com/speed/docs/best-practices/caching.
26. HICKSON, I. Offline web applications (HTML 5 working draft). http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html.
27. HICKSON, I. Web storage (W3C Recommendation). http://www.w3.org/TR/webstorage/.
28. HIGGINS, P. Pushing for perfect forward secrecy, an important web privacy protection. https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection.
29. HOFFMAN, P., and SCHLYTER, J. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) protocol: TLSA (RFC 6698). http://tools.ietf.org/html/rfc6698, 2012.
30. HOFFMAN-ANDREWS, J. Forward secrecy at Twitter. https://blog.twitter.com/2013/forward-secrecy-at-twitter-0.
31. JACKSON, C., and BARTH, A. Beware of finer-grained origins. In Web 2.0 Security and Privacy, 2008.
32. KARLOF, C., SHANKAR, U., TYGAR, J. D., and WAGNER, D. Dynamic pharming attacks and locked same-origin policies for web browsers. In CCS, 2007.
33. KIM, T. H.-J., HUANG, L.-S., PERRIG, A., JACKSON, C., AND GLIGOR, V. Accountable Key Infrastructure: A proposal for a public-key validation infrastructure. In WWW, 2013.
34. LANGLEY, A. How to botch TLS forward secrecy. https://www.imperialviolet.org/2013/06/27/botchingpfs.html.
35. LANGLEY, A. Protecting data for the long term with forward secrecy. http://googleonlinesecurity.blogspot.ch/2011/11/protecting-data-for-long-term-with.html.
36. LAURIE, B., LANGLEY, A., and KASPER, E. Certificate transparency (RFC 6992). http://tools.ietf.org/html/rfc6962, 2013.
37. MARLINSPIKE, M. Convergence. http://convergence.io/.
38. MARLINSPIKE, M., and PERRIN, T. Trust Assertions for Certificate Keys (TACK) (IETF Internet-Draft). http://tack.io/draft.html, 2013.
39. MOZILLA DEVELOPER NETWORK. Mixed content. https://developer.mozilla.org/en-US/docs/Security/MixedContent.
40. MOZILLA DEVELOPER NETWORK. Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript.
41. NIKIFORAKIS, N., INVERNIZZI, L., KAPRAVELOS, A., VAN ACKER, S., JOOSEN, W., KRUEGEL, C., PIESSENS, F., and VIGNA, G. You are what you include: Large-scale evaluation of remote Javascript inclusions. In CCS, 2012.
42. OPPLIGER, R., HAUSER, R., and BASIN, D. SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle. Computer Communications 29, 12 (2006), 2238-2246.
43. OPPLIGER, R., HAUSER, R., and BASIN, D. SSL/TLS session-aware user authentication revisited. Computers & Security 27, 3-4 (2008), 64-70.
44. OWASP. Cross-site Scripting (XSS). https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).
45. OWASP. Man-in-the-browser attack. https://www.owasp.org/index.php/Man-in-the-browser_attack.
46. PAOLA, S. D., and FEDON, G. Subverting Ajax. 23rd Chaos Communication Congress, 2006.
47. PARSOVS, A. Practical issues with TLS client certificate authentication. In NDSS, 2014.
48. SCHNEIER, B. New NSA leak shows MITM attacks against major Internet services. https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html.
49. SOGHOIAN, C., and STAMM, S. Certified lies: Detecting and defeating government interception attacks against SSL. In FC, 2011.
50. STERNE, B., and BARTH, A. Content Security Policy 1.0 (W3C Candidate Recommendation). http://www.w3.org/TR/CSP/.
51. SUNSHINE, J., EGELMAN, S., ALMUHIMEDI, H., ATRI, N., and CRANOR, L. F. Crying wolf: An empirical study of SSL warning effectiveness. In USENIX Security, 2009.
52. WENDLANDT, D., and ANDERSEN., D. G., and PERRIG, A. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX ATC, 2008.