Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Kondracki, Brian; Aliyeva, Assel; Egele, Manuel; Polakis, Jason; Nikiforakis, Nick

doi:10.1109/sp40000.2020.00077

Cited by 10 publications

(7 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the context confusion attack, the attack occurs because of shared TLS certificates; thereby, the adversary reroutes the request is bypassed to a flawed certificate-sharing server. Use of intermediate entities like malicious proxies [6], [26]- [30] or interception software's [26], [27], a form of MITM attacks, cause the origin confusion issues as the attacker can hijack the secure traffic between the client and server.…”

Section: Security Analysismentioning

confidence: 99%

A Framework for Server Authentication using Communication Protocol Dialects

Gogineni¹,

Mei²,

Venkataramani³

et al. 2022

Preprint

View full text Add to dashboard Cite

In today's world, computer networks have become vulnerable to numerous attacks. In both wireless and wired networks, one of the most common attacks is man-in-the-middle attacks, within which session hijacking, context confusion attacks have been the most attempted. Thus, a potential attacker may have enough time to launch an attack targeting these vulnerabilities (such as rerouting the target request to a malicious server or hijacking the traffic). A viable strategy to solve this problem is, by dynamically changing the system properties, configurations and create unique fingerprints to identify the source (the message was sent from). However, the existing work of fingerprinting mainly focuses on lower-level properties (e.g., IP address, TCP handshake), and only these types of properties are restricted for mutation.In this paper, we develop a novel system, called Verify-Pro, to provide server authentication using communication protocol dialects -that uses a client-server architecture based on network protocols for customizing the communication transactions. For each session, a particular sequence of handshakes will be used as dialects. So, given the context, with the establishment of a one-time username and password, we use the dialects as an authentication mechanism for each request (e.g., get filename in FTP) throughout the session, which enforces continuous authentication. Specifically, we leverage a machine learning approach (pre-trained neural network model) on both client and server machines to trigger a specific dialect that dynamically changes for each request.We implement a prototype of Verify-Pro and evaluate its practicality on standard communication protocols FTP (File transfer protocol), HTTP (Hypertext transfer protocol) & internet of things protocol MQTT (Message queuing telemetry transport). Our experimental results show that by sending misleading information through message packets from an attacker at the application layer, the recipient can identify if the sender is genuine or a spoofed one, with a negligible overhead of 0.536%.

show abstract

Section: Security Analysismentioning

confidence: 99%

A Framework for Server Authentication using Communication Protocol Dialects

Gogineni¹,

Mei²,

Venkataramani³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…With web apps continuously introducing novel functionality to increase user engagement, browsers deploy new APIs and technologies to support such initiatives. As a result, modern web browsers often integrate new technologies and mechanisms that introduce novel attack vectors with significant security and privacy implications [35], [36], [47], [27]. As such, it is crucial that the security community conducts in-depth investigations of the risks introduced by emerging browser features.…”

Section: Introductionmentioning

confidence: 99%

Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage

Karami¹,

Ilia

Polakis

2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

“…As a result, emphasis has been placed on changing Web browsing to consume less data [9,11,44,46,51]. While there has been some public confusion over the exact workings and reach of such data-saving methods [33], recent studies of their actual implementations [31,37,54] reveal a few key shortcomings.…”

Section: Introductionmentioning

confidence: 99%

“…First and foremost, these solutions impose various privacy concerns to their users when compared to regular Web browsing. Some are deployed as middlebox services which either transparently proxy the user's unencrypted traffic [11,51], or, apply URL redirection [23] or Man-in-the-Middle proxies [44,46,58] to also operate on encrypted traffic (HTTPS) [37,54]. Given the rise of HTTPS [28], the former sees limited use, while the latter breaks the end-to-end principles of TLS, exposing potentially private or personalized Web contents to third parties [37,54].…”

Section: Introductionmentioning

confidence: 99%

“…Further, the exact measures these systems take to actually save data are often cryptic [31,33,37,54]. As determining Web-compat issues, or the ability to quantify broken webpages, is an open problem that requires large amount of manual effort [41], it is hard to determine how and when these solutions actually break webpages; though when they do so there is usually public outcry [12].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Browselite: A Private Data Saving Solution for the Web

Kelton,

Varvello,

Aucinas

et al. 2021

Preprint

View full text Add to dashboard Cite

The median webpage has increased in size by more than 80% in the last 4 years. This extra complexity allows for a rich browsing experience, but it hurts the majority of mobile users which still pay for their traffic. This has motivated several data-saving solutions, which aim at reducing the complexity of webpages by transforming their content. Despite each method being unique, they either reduce user privacy by further centralizing web traffic through data-saving middleboxes or introduce web compatibility (Web-compat) issues by removing content that breaks pages in unpredictable ways.In this paper, we argue that data-saving is still possible without impacting either users privacy or Web-compat. Our main observation is that Web images make up a large portion of Web traffic and have negligible impact on Web-compat. To this end we make two main contributions. First, we quantify the potential savings that image manipulation, such as dimension resizing, quality compression, and transcoding, enables at large scale: 300 landing and 880 internal pages. Next, we design and build BrowseLite, an entirely client-side tool that achieves such data savings through opportunistically instrumenting existing server-side tooling to perform image compression, while simultaneously reducing the total amount of image data fetched. The effect of BrowseLite on the user experience is quantified using standard page load metrics and a real user study of over 200 users across 50 optimized web pages. BrowseLite allows for similar savings to middlebox approaches, while offering additional security, privacy, and Web-compat guarantees.

show abstract

Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Cited by 10 publications

References 27 publications

A Framework for Server Authentication using Communication Protocol Dialects

A Framework for Server Authentication using Communication Protocol Dialects

Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage

Browselite: A Private Data Saving Solution for the Web

Contact Info

Product

Resources

About