Truncating TLS connections to violate beliefs in web applications

7th USENIX Workshop on Offensive Technologies, WOOT 2013

Volumn , Issue , 2013, Pages

  Smyth, Ben ^a   Pironti, Alfredo ^a  

^a INRIA ROCQUENCOURT   (France)

Author keywords

Attack; Authentication; Exploit; Google; Helios; Logical flaw; Microsoft; Sign out; Single sign on; TLS truncation; Web applications

Indexed keywords

AUTHENTICATION; ELECTRONIC VOTING;

ATTACK; EXPLOIT; GOOGLE; HELIOS; MICROSOFT; SIGN-OUT; SINGLE SIGN ON; WEB APPLICATION;

SEEBECK EFFECT;

EID: 85084163394     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (23)

1. Ben Adida. Helios deployed at Princeton. http://heliosvoting.org/2009/10/13/helios-deployed-at-princeton/, 2009.
2. Ben Adida, Olivier de Marneffe, Olivier Pereira, and Jean-Jacques Quisquater. Electing a University President Using Open-Audit Voting: Analysis of Real-World Use of Helios. In EVT/WOTE’09: Electronic Voting Technology Workshop/Workshop on Trustworthy Elections. USENIX, 2009.
3. Josh Benaloh, Serge Vaudenay, and Jean-Jacques Quisquater. Final Report of IACR Electronic Voting Committee. International Association for Cryptologic Research. http://www.iacr.org/elections/eVoting/finalReportHelios_2010-09-27.html, Sept 2010.
4. Diana Berbecaru and Antonio Lioy. On the Robustness of Applications Based on the SSL and TLS Security Protocols. In Public Key Infrastructure, volume 4582, pages 248–264. 2007.
5. Antoine Delignat-Lavaud, Alfredo Pironti, and Ben Smyth. Private communication, 29th April 2013.
6. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, Internet Engineering Task Force, 2008.
7. Danny Dolev and Andrew C. Yao. On the security of public key protocols. Information Theory, 29:198–208, 1983.
8. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol – HTTP/1.1. RFC 2616, Internet Engineering Task Force, 1999.
9. A. Freier, P. Karlton, and P. Kocher. The Secure Sockets Layer (SSL) Protocol Version 3.0. RFC 6101, Internet Engineering Task Force, 2011.
10. Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, 1984.
11. Stuart Haber, Josh Benaloh, and Shai Halevi. The Helios e-Voting Demo for the IACR. International Association for Cryptologic Research. http://www. iacr.org/elections/eVoting/heliosDemo.pdf, May 2010.
12. IACR Elections. http://www.iacr.org/elections/, 2013.
13. Andrew J. Ko and Xing Zhang. Feedlack detects missing feedback in web applications. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI’11, pages 2177–2186, New York, NY, USA, 2011. ACM.
14. Jakob Nielsen and Rolf Molich. Heuristic evaluation of user interfaces. In Proceedings of the SIGCHI conference on Human factors in computing systems: Empowering people, pages 249–256. ACM, 1990.
15. Donald Norman. The design of everyday things. Basic Books, 1998.
16. Helios Princeton Elections. https://princeton.heliosvoting.org/, 2012.
17. E. Rescorla. HTTP Over TLS. RFC 2818, Internet Engineering Task Force, 2000.
18. Bruce Schneier. Government Secrets and the Need for Whistle-blowers. http://www.schneier.com/blog/archives/2013/06/government_secr.html, 2013.
19. Bruce Schneier. IT for Oppression. IEEE Security & Privacy, 11(2):96, 2013.
20. Ben Smyth and Alfredo Pironti. Attacking Helios: An authentication bug. YouTube video, linked from http://www.bensmyth.com/publications/2013-truncation-attacks-to-violate-beliefs/, 2012.
21. Ben Smyth and Alfredo Pironti. Truncating TLS connections to access GMail accounts. YouTube video, linked from http://www.bensmyth.com/publications/2013-truncation-attacks-to-violate-beliefs/, 2012.
22. Ben Smyth and Alfredo Pironti. Truncating TLS connections to access Hotmail accounts. YouTube video, linked from http://www.bensmyth.com/publications/2013-truncation-attacks-to-violate-beliefs/, 2013.
23. C.A. Vlsaggio and L.C. Blasio. Session management vulnerabilities in today’s web. Security Privacy, IEEE, 8(5):48–56, 2010.