Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem

Calzavara, Stefano; Focardi, Riccardo; Nemec, Matus; Rabitti, Alvise; Squarcina, Marco

doi:10.1109/sp.2019.00053

Cited by 23 publications

(16 citation statements)

References 60 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We demonstrate this vulnerability in both browsers in demo videos [11], [13]. This could potentially allow related-domain attackers [26] to bypass the cookie-integrity checks recently adopted by browsers that rely on cookie prefixes [24]. In both cases, the user sees a lock icon in the URL bar indicating their connection to the web server is secure, when in reality it is not.…”

Section: Data Saving Mode Security Degradationmentioning

confidence: 98%

Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Kondracki

Aliyeva

Egele

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Mobile browsers have become one of the main mediators of our online activities. However, as web pages continue to increase in size and streaming media on-the-go has become commonplace, mobile data plan constraints remain a significant concern for users. As a result, data-saving features can be a differentiating factor when selecting a mobile browser. In this paper, we present a comprehensive exploration of the security and privacy threat that data-saving functionality presents to users. We conduct the first analysis of Android's data-saving browser (DSB) ecosystem across multiple dimensions, including the characteristics of the various browsers' infrastructure, their application and protocol-level behavior, and their effect on users' browsing experience. Our research unequivocally demonstrates that enabling data-saving functionality in major browsers results in significant degradation of the user's security posture by introducing severe vulnerabilities that are not otherwise present in the browser during normal operation. In summary, our experiments show that enabling data savings exposes users to (i) proxy servers running outdated software, (ii) man-in-the-middle attacks due to problematic validation of TLS certificates, (iii) weakened TLS cipher suite selection, (iv) lack of support of security headers like HSTS, and (v) a higher likelihood of being labelled as bots. While the discovered issues can be addressed, we argue that data-saving functionality presents inherent risks in an increasingly-encrypted Web, and users should be alerted of the critical savings-vs-security trade-off that they implicitly accept every time they enable such functionality.

show abstract

Section: Data Saving Mode Security Degradationmentioning

confidence: 98%

Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Kondracki

Aliyeva

Egele

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…We audit the security of web sessions against the traditional threats posed by web attackers and network attackers, the standard attacker models of the web security literature [12], which have been commonly used in previous web session security studies, e.g., [13,14,8,15,1,16,17,9]. A web attacker is an unprivileged web user who operates a browser and has control of a malicious website.…”

Section: Threat Modelmentioning

confidence: 99%

“…We also assume perfect cryptography, in the sense that our analysis focuses on session security, not cryptographic security of HTTPS. Note that cryptographic weaknesses in HTTPS implementations are generally harder both to identify and to exploit in practice [16].…”

Section: Threat Modelmentioning

confidence: 99%

Measuring Web Session Security at Scale

Calzavara

Jonker

Krumnow

et al. 2021

Computers & Security

Self Cite

View full text Add to dashboard Cite

“…Orthogonal to this line of research, researchers have studied the affects of TLS vulnerabilities on Web security [10]. Moreover, there have been studies on whether general Web security mechanisms (e.g., HSTS, CSP, Referrer Policy, etc.)…”

Section: Related Workmentioning

confidence: 99%

When TLS Meets Proxy on Mobile

Debnath¹,

Chau²,

Chowdhury³

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Increasingly more mobile browsers are developed to use proxies for traffic compression and censorship circumvention. While these browsers can offer such desirable features, their security implications are, however, not well understood, especially when tangled with TLS in the mix. Apart from vendor-specific proprietary designs, there are mainly 2 models of using proxies with browsers: TLS interception and HTTP tunneling. To understand the current practices employed by proxy-based mobile browsers, we analyze 34 Android browser apps that are representative of the ecosystem, and examine how their deployments are affecting communication security. Though the impacts of TLS interception on security was studied before in other contexts, proxy-based mobile browsers were not considered previously. In addition, the tunneling model requires the browser itself to enforce certain desired security policies (e.g., validating certificates and avoiding the use of weak cipher suites), and it is preferable to have such enforcement matching the security level of conventional desktop browsers. Our evaluation shows that many proxybased mobile browsers downgrade the overall quality of TLS sessions, by for example allowing old versions of TLS (e.g., SSLv3.0 and TLSv1.0) and accepting weak cryptographic algorithms (e.g., 3DES and RC4) as well as unsatisfactory certificates (e.g., revoked or signed by untrusted CAs), thus exposing their users to potential security and privacy threats. We have reported our findings to the vendors of vulnerable proxy-based browsers and are waiting for their response.

show abstract

Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem

Cited by 23 publications

References 60 publications

Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Measuring Web Session Security at Scale

When TLS Meets Proxy on Mobile

Contact Info

Product

Resources

About