DOCSLIB.ORG

Analysis of Http Cookie Hijacking in the Wild

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis of Http Cookie Hijacking in the Wild International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-9 Issue-7, May 2020 Analysis of Http Cookie Hijacking in the Wild K.Samhitha, K.Tharun, P.Likhith, T.Srinivasarao Abstract: Because cookies act as the sole evidence of user There are a number of explanations for failing to introduce identification, web sessions are especially vulnerable to attacks all-around secure communications, ranging from the through session hijacking, where the server operated by a specific possible changes of bandwidth costs and the lack of in- user sends users ' identity requests. If n > 1 cookies are used to network functionality of retaining conventional customer execute a session, n sub-sessions that actually run on the same service. If policies of access control properly distinguish website where the individual cookies are used to access part of the session's state details. Our cookie hijacking analysis shows a authenticated rights (e.g., session cookies) and range of significant defects; attackers may reach Google's home unauthenticated cookies (e.g., persistent cookies for address and work address and websites that are accessed by Bing tracking) instead stolen HTTP cookies will preclude or Baidu, show the entire browsing history of the user, and attackers from gathering some personal data. For reality, Yahoo enables attackers to delete the list of contacts and upload though, it is not and things are getting worse as systems tend emails from the account of the consumer. For fact, e-commerce to lose protection on usability. Website rights HTTP providers such as Amazon and Ebay have a limited, complete cookies, which boost customer functionality, to personalize customer order background, so almost all platforms have a user the services, but prohibit demands for re-authentication, name so e-mail address on their page. Ad networks like because this influences user interaction. If strictly required, Doubleclick will also expose pages accessed by the customer. In this article, we propose to improve the latest state-of - the-art in the process of thorough research, little attention was HTTP(S) session control by utilizing user fingerprint.A vast given to the privacy risks of non-session cookies; the leaked range of functionalities of the new client tracking makes session HTTP code demonstrates how criminals can retrieve Google identification on the server observable and dramatically increases search history for a consumer. the threshold for attackers. Furthermore, this paper describes As mentioned in a recent survey, the key safety hazards in HTML5 and CSS capabilities for client fingerprinting and the web sessions are established today.As web sessions are recognition or authentication of a device by using the UserAgent especially susceptible to client hiracy attacks because list. cookies function only as a proof of user identification, where the server operated by a single user is submitting Keywords: cookies, attacks, session hijacking, HTTP, authentication, fingerprinting and recognition. requests relevant to another user's identification. Session security has been studied in many types of threats including I. INTRODUCTION web attackers who run sites that host harmful material and who are able to leverage intrusion flaws on trustworthy There is an immense everyday foundation for social websites as well as on network assailants who are able to networks and customized internet services. Internet users are obstruct, audit and manipulate HTTP traffic. still at danger continuously. Popular websites, such as In this report, we discuss the degree and nature of Facebook or Yahoo, along with several others, are now ambiguous activities and the implications for consumer utilizing HTTPS-secured user authentication contact while privacy of major networks that partly implement encrypted usually sharing the remainder of the session explicitly. communications.They show that HTTP cookie hijacking It helps an intruder to steal or clone passwords, identifiers attacks not only enable private and confidential user details and tokens from the client and to manage the victim's to be obtained, but are also able to bypass security account. It has been employed as a threat tactic numerous requirements and reach the secure account features. It is the times more recently by unencrypted Wi-Fi and national first in-depth study, to our knowledge, into the data security interceptors, showing that hijacking is in reality an Internet ramifications of HTTPS selective adoption. We test 25 core protection problem today. A recent famous example is the business areas for search engines and e-commerce portals, compromised Ashton Kutcher's Twitter account. He had chosen from various groups. more than 6 million fans at the point. It was an unencrypted In each case, we consider how HTTP cookies are used, how Wi-Fi. In Tunisia, however, websites like Facebook, Gmail the cookies are used to show various forms of data and and Yahoo have been suspected of malicious JavaScript features, and how they are analyzed. In each scenario, we intrusion to gather user credentials and disrupt dissident examine cookies. It helps one to obtain an analysis of the online operation. effectiveness and effect of this form of attack. We find bugs Nevertheless, several big websites tend to use non-encrypted on big websites that make it possible for attackers to get a connections to deliver content, exposing users to HTTP wealth of confidential user data and have access to secure cookies to attackers and traffic tracking them. accounts. We conduct these tests on our specific or research profiles as a precautionary step. Revised Manuscript Received on May 01, 2020. K.Samhitha, Bachelor’s Degree, Computer Science, K L University, Vijayawada, India. II. LITERATURE REVIEW K.Tharun , Bachelor’s Degree, Computer Science, K L University, Vijayawada, India. Internet browsers are incredibly sophisticated operating P.Likhith, Bachelor’s Degree, Computer Science, K L University, programs that require several implementation years.Various Vijayawada, India. universal specifications such as the HTML, JavaScript, Dr.T.Srinivasarao, Professor, Department of Computer Science & DOM, XML or CSS defined by Engineering, Koneru Lakshmaiah Education Foundation, Vaddeswaram, Ap, India. [email protected] W3C2, aim and render web experience as consistent as Published By: Retrieval Number: F4011049620/2020©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijitee.F4011.059720 859 & Sciences Publication Analysis of Http Cookie Hijacking in the Wild practicable through various browsers. However browsers III. REAL-WORLD PRIVACY LEAKAGE also provide their own "touch" with their understanding of Threat persistence:Session cookies become invalidated such specifications. Regardless of the ambiguity of certain after the consumer signs out. Also after a brief duration of specifications, the implementations of browsers vary. The inactivity, high-value programs achieve so. We also tested landscaper, such as HTML5 and CSS3, that are not yet that the providers still remove the HTTP cookies essential completely developed but partly implemented in browsers, for our deterrent attacks. We find that even though the user is confused further by current and potential requirements. has signed out, nearly all cookies are always allowed to These limited criteria are best designed for fingerprinting of reach and will assaultonce the intruder has taken cookies. various depths. For e.g., Nmap uses this exact method to Links to the personal details and account functions of the define the operating system of a TCP / IP stack fingerprint user can then be retained by an intruder before a cookie dependent remote host. expires for a span of several months (Google cookies expire Website security operates as follows: The username and the for 2 years). Even since signing out has Ebay become the password are presented with an HTML file, which is then insecure provider that invalidates the cookies. Such Cookies forwarded on to the server. If the communication do not inform the user that the validity of cookies is performance is reached then the server normally returns a controlled by Ebay on the server side as he or she leaves. token (usually known as session ID) which, owing to the Below we will also address Youtube's odd actions toward stateless internals of the HTTP protocol, is subsequently non-connected users. sent along with other client requests to classify the user. Cookie hijacking: To defend their work against This raises many problems for user security in an eavesdropping, Google automatically redirects users linked unencrypted HTTP environment: presents many threats to via HTTP to HTTPS through Google.com. On initial order, the security of the user: As unencrypted Logon passwords however, the client must submit HTTP cookies before are passed on, an eavesdropping attacker may quickly obtain redirecting and implementing encrypted contact. In fact, the them. Although both the login form document and user can also use Google Services via the address bar; for subsequent. Notice to a reviewer requests: the connection instance, the user can type in the Google Maps function must be used here when the paper's credentials are www.google.com/maps.The client can re-expose the users transmitted via HTTPS for publishing via HTTP cookies in these situations and, if the competitor is (http://www.w3.org/TR/), attackers that later obtain session traffic managed, he would be able to hijack them. Instead of ID from unencrypted server requests, or using client side introducing HTTPS, redirecting is also a deliberate choice to attacks such as XSS. help conventional customers that do not operate HTTPS. Many administrators find that the default implementation of Browsing history:The opponent can begin searching SSL is too expensive. Anecdotal data indicates that naively Google on different terms of interest with the use of the causing SSL to degrade dramatically the output without any stolen cookie. Unless the findings of the quest have tuning up to the magnitude. However, in January 2010 connections on which the user has been through the search Gmail migrated to HTTPS by default.
Load more

Recommended publications
  • Release 2.2.1 Kenneth Reitz
    Requests Documentation Release 2.2.1 Kenneth Reitz January 15, 2016 Contents 1 Testimonials 3 2 Feature Support 5 3 User Guide 7 3.1 Introduction...............................................7 3.2 Installation................................................8 3.3 Quickstart................................................9 3.4 Advanced Usage............................................. 15 3.5 Authentication.............................................. 25 4 Community Guide 29 4.1 Frequently Asked Questions....................................... 29 4.2 Integrations................................................ 30 4.3 Articles & Talks............................................. 30 4.4 Support.................................................. 30 4.5 Community Updates........................................... 31 4.6 Software Updates............................................. 31 5 API Documentation 49 5.1 Developer Interface........................................... 49 6 Contributor Guide 69 6.1 Development Philosophy......................................... 69 6.2 How to Help............................................... 70 6.3 Authors.................................................. 71 Python Module Index 77 i ii Requests Documentation, Release 2.2.1 Release v2.2.1. (Installation) Requests is an Apache2 Licensed HTTP library, written in Python, for human beings. Python’s standard urllib2 module provides most of the HTTP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
    [Show full text]
  • The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
    The Web Never Forgets: Persistent Tracking Mechanisms in the Wild Gunes Acar1, Christian Eubank2, Steven Englehardt2, Marc Juarez1 Arvind Narayanan2, Claudia Diaz1 1KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium {name.surname}@esat.kuleuven.be 2Princeton University {cge,ste,arvindn}@cs.princeton.edu ABSTRACT 1. INTRODUCTION We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies A 1999 New York Times article called cookies compre­ and use of “cookie syncing” in conjunction with evercookies. hensive privacy invaders and described them as “surveillance Canvas fingerprinting, a recently developed form of browser files that many marketers implant in the personal computers fingerprinting, has not previously been reported in the wild; of people.” Ten years later, the stealth and sophistication of our results show that over 5% of the top 100,000 websites tracking techniques had advanced to the point that Edward employ it. We then present the first automated study of Felten wrote “If You’re Going to Track Me, Please Use Cook­ evercookies and respawning and the discovery of a new ev­ ies” [18]. Indeed, online tracking has often been described ercookie vector, IndexedDB. Turning to cookie syncing, we as an “arms race” [47], and in this work we study the latest present novel techniques for detection and analysing ID flows advances in that race. and we quantify the amplification of privacy-intrusive track­ The tracking mechanisms we study are advanced in that ing practices due to cookie syncing. they are hard to control, hard to detect and resilient Our evaluation of the defensive techniques used by to blocking or removing.
    [Show full text]
  • Designing Secure Systems That People Can
    15- SSL, PKIs, and Secure Communication Engineering & Public Policy Lorrie Cranor, Blase Ur, and Rich Shay March 3, 2015 05-436 / 05-836 / 08-534 / 08-734 Usable Privacy and Security 1 Today! • An introduction to SSL/TLS • An introduction to PKIs • Recent developments in this area • Usability issues • An activity to make it better 2 Overview • Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS) enable secure communication • Frequently encountered with web browsing (HTTPS) and more behind the scenes in app, VOIP, etc. 3 What we want to defend against • People snooping on our communications – The contents of what we’re sending – Session tokens (see, e.g., Firesheep) • Man-in-the-middle attacks – We want to authenticate that we are talking to the right site, not an imposter – Use certificates inside a public-key infrastructure 4 How we could obtain trust • Web of trust – People you already trust introduce you to people they trust – Can get complicated, doesn’t scale well – Less frequently seen in practice • Public-Key Infrastructure (PKI) – Certificates are issued by certificate authorities that bind cryptographic keys to identities 5 Public-Key Infrastucture • Binding of keys to identities can be done automatically or by humans 6 What does SSL look like to users? • Compare, e.g., the following: – https://www.google.com (normal certificate) – Go to Google images and then click on an image and see what happens (mixed content) – https://otalliance.org (EV certificate) 7 What does PKI look like to browsers? • Hundreds
    [Show full text]
  • Preventing Session Hijacking Using Encrypted One-Time-Cookies
    Preventing Session Hijacking using Encrypted One-Time-Cookies Renascence Tarafder Prapty 1, Shuhana Azmin 1 Md. Shohrab Hossain 1, Husnu S. Narman2 1Department of Computer Science and Engineering, Bangladesh University of Engineering and Technology, Bangladesh 2Weisberg Division of Computer Science, Marshall University, Huntington, WV, USA Email: [email protected],[email protected], [email protected], [email protected] Abstract—Hypertext Transfer Protocol (HTTP) cookies are cryptography-based techniques to achieve cookie confidential- pieces of information shared between HTTP server and client to ity and integrity. However, each mechanism lacks in one aspect remember stateful information for the stateless HTTP protocol or another. The scheme described in [1] does not achieve or to record a user’s browsing activity. Cookies are often used in web applications to identify a user and corresponding authen- cookie confidentiality. In [3], the web server is required to ticated session. Thus, stealing a cookie can lead to hijacking an store one-time keys that lead to key management problems. authenticated user’s session. To prevent this type of attack, a In [2] and [4], a one-time key is encrypted by the web server’s cookie protection mechanism is required. In this paper, we have public key. As public key encryption is computationally expen- proposed a secure and efficient cookie protection system. We have sive, these schemes are not efficient. [5] proposes the use of used one time cookies to prevent attacker from performing cookie injection. To ensure cookie integrity and confidentiality, we have cache cookies as an alternative to cookies for authentication of encrypted sensitive information in the cookie.
    [Show full text]
  • Protecting Encrypted Cookies from Compression Side-Channel Attacks
    Protecting encrypted cookies from compression side-channel attacks Janaka Alawatugoda1, Douglas Stebila1;2, and Colin Boyd3 1 School of Electrical Engineering and Computer Science, 2 School of Mathematical Sciences 1;2 Queensland University of Technology, Brisbane, Australia [email protected],[email protected] 3 Department of Telematics, Norwegian University of Science and Technology, Trondheim, Norway [email protected] December 28, 2014 Abstract Compression is desirable for network applications as it saves bandwidth; however, when data is compressed before being encrypted, the amount of compression leaks information about the amount of redundancy in the plaintext. This side channel has led to successful CRIME and BREACH attacks on web traffic protected by the Transport Layer Security (TLS) protocol. The general guidance in light of these attacks has been to disable compression, preserving confidentiality but sacrificing bandwidth. In this paper, we examine two techniques|heuristic separation of secrets and fixed-dictionary compression|for enabling compression while protecting high-value secrets, such as cookies, from attack. We model the security offered by these techniques and report on the amount of compressibility that they can achieve. 1This is the full version of a paper published in the Proceedings of the 19th International Conference on Financial Cryptography and Data Security (FC 2015) in San Juan, Puerto Rico, USA, January 26{30, 2015, organized by the International Financial Cryptography Association in cooperation with IACR. 1 Contents 1 Introduction 3 2 Definitions 6 2.1 Encryption and compression schemes.........................6 2.2 Existing security notions................................7 2.3 New security notions..................................7 2.4 Relations and separations between security notions.................8 3 Technique 1: Separating secrets from user inputs9 3.1 The scheme.......................................9 3.2 CCI security of basic separating-secrets technique.................
    [Show full text]
  • HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014
    HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S.
    [Show full text]
  • Security and Privacy Concerns of Internet Single Sign-On"
    Security and Privacy Concerns of Internet Single Sign-On Risks and Issues as They Pertain to Liberty Alliance Version 1.0 Specifications Authors: Gary Ellison, Jeff Hodges, Susan Landau Date: 6 Sep 2002 Introduction As noted in ‘‘A Brief Introduction to Liberty,’’ for the man on the street, the lawyer in her office, the shopper or investor at home, identity on the Internet is a burdensome and off-putting process. There is one sign-on and password for the online book merchant, another for the corporate network and for each of its pieces --- the client’s private pages, the outsourced human resources office, the online travel agency --- yet another pair for accessing Lands End, still another for Bank of America. The same holds for business-to-business interactions. The result is a cumbersome user experience. The first challenge of Web services is a simple and secure identity mechanism, the second, and equally important, concern is privacy protection. Single sign-on and federated network identity (a system for binding multiple accounts for a given user) are key to solving these issues. A federated system allows businesses to manage their own resources including customer data. Federated network identity enables customers to retain some control over which companies have access to their own information [INTRO]. The Liberty Alliance was formed to deliver and support a federated network identity solution for the Internet, enabling single sign-on for consumers as well as business users in an open, federated way. The Liberty Alliance version 1.0 specifications (referred to as the Liberty Specifications or Liberty protocols throughout this document) clear the way for a user to have a seamless Internet experience and simplify the business of conducting business with multiple Web sites.
    [Show full text]
  • SESSION RIDING a Widespread Vulnerability in Today's Web Applications
    Whitepaper SESSION RIDING A Widespread Vulnerability in Today's Web Applications Thomas Schreiber, SecureNet GmbH, Dec 2004 SecureNet GmbH - Münchner Technologiezentrum - Frankfurter Ring 193a - D-80807 München www.securenet.de - [email protected] - Phone +49/89/32133-600 Whitepaper – Session Riding SecureNet GmbH – 2 T ABLE OF C ONTENTS 1 Abstract .............................................................................................................................3 2 What is Session Riding?.......................................................................................................3 3 How Session Riding Works ..................................................................................................4 3.1 How Cookies and Session IDs work................................................................4 3.2 The Threat............................................................................................................5 3.3 Where is the Vulnerability? ................................................................................6 3.4 Non-form-based Authentication Methods......................................................6 3.5 Summary ...............................................................................................................7 4 What makes things even worse...........................................................................................7 4.1 Vulnerable GET-Requests .................................................................................7 4.1.1 The IMG-Tag ............................................................................................7
    [Show full text]
  • A Deep Dive Into the Technology of Corporate Surveillance
    Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Author: Bennett Cyphers and Gennie Gebhart ​ A publication of the Electronic Frontier Foundation, 2019. “Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance” is released under a Creative Commons Attribution 4.0 International License (CC BY 4.0). View this report online: https://www.eff.org/wp/behind-the-one-way-mirror ELECTRONIC FRONTIER FOUNDATION 1 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Behind the One-Way Mirror A Deep Dive Into the Technology of Corporate Surveillance BENNETT CYPHERS AND GENNIE GEBHART December 2, 2019 ELECTRONIC FRONTIER FOUNDATION 2 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Introduction 4 First-party vs. third-party tracking 4 What do they know? 5 Part 1: Whose Data is it Anyway: How Do Trackers Tie Data to People? 6 Identifiers on the Web 8 Identifiers on mobile devices 17 Real-world identifiers 20 Linking identifiers over time 22 Part 2: From bits to Big Data: What do tracking networks look like? 22 Tracking in software: Websites and Apps 23 Passive, real-world tracking 27 Tracking and corporate power 31 Part 3: Data sharing: Targeting, brokers, and real-time bidding 33 Real-time bidding 34 Group targeting and look-alike audiences 39 Data brokers 39 Data consumers 41 Part 4: Fighting back 43 On the web 43 On mobile phones 45 IRL 46 In the legislature 46 ELECTRONIC FRONTIER FOUNDATION 3 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Introduction Trackers are hiding in nearly every corner of today’s Internet, which is to say nearly every corner of modern life.
    [Show full text]
  • Server Side Protection Against Cross Site Request Forgery Using CSRF
    ol chn ogy Te & Gupta and Gola, J Inform Tech Softw Eng 2016, 6:3 n S o o ti ft a w a m r r e o f DOI: 10.4173/2165-7866.1000182 E Journal of n n I g f i o n l e a e n r r i n u g o J ISSN: 2165-7866 Information Technology & Software Engineering Research Article Open Access Server Side Protection against Cross Site Request Forgery using CSRF Gateway Jaya Gupta* and Suneeta Gola College of Science & Engineering, Department of Computer Engineering, India Abstract The E-Commerce and Social Media has become the new identity for millions of users across the globe. Ease of services for Shopping, Travel, Internet Banking, Social Media, chat and collaboration Apps etc. have become part of one’s life where these identities have name, media content, confidential notes, business projects and credit cards. Convenience and connections brings the ease of connectivity and services so does come the concerns related to unauthorized usage and fraudulent transactions that could be lead to loss of money, time, emotions and even life. Web defacement, fake accounts, account hijacking, account lock and unavailability of services has become a common online news and distress for many. There are different Web Attacks and exploits that have sprung up with time and usage for different type of illegal actions performed everyday online. Cross Site Request Forgery Attack is one of the Web top 10 exploited attacks for the past 5 years (Source OSWAP) which can maliciously exploit online services, where unauthorized actions are performed by the fraudulent user on behalf of a trusted and authenticated account for website.
    [Show full text]
  • Web Tracking: Mechanisms, Implications, and Defenses Tomasz Bujlow, Member, IEEE, Valentín Carela-Español, Josep Solé-Pareta, and Pere Barlet-Ros
    ARXIV.ORG DIGITAL LIBRARY 1 Web Tracking: Mechanisms, Implications, and Defenses Tomasz Bujlow, Member, IEEE, Valentín Carela-Español, Josep Solé-Pareta, and Pere Barlet-Ros Abstract—This articles surveys the existing literature on the of ads [1], [2], price discrimination [3], [4], assessing our methods currently used by web services to track the user online as health and mental condition [5], [6], or assessing financial well as their purposes, implications, and possible user’s defenses. credibility [7]–[9]. Apart from that, the data can be accessed A significant majority of reviewed articles and web resources are from years 2012 – 2014. Privacy seems to be the Achilles’ by government agencies and identity thieves. Some affiliate heel of today’s web. Web services make continuous efforts to programs (e.g., pay-per-sale [10]) require tracking to follow obtain as much information as they can about the things we the user from the website where the advertisement is placed search, the sites we visit, the people with who we contact, to the website where the actual purchase is made [11]. and the products we buy. Tracking is usually performed for Personal information in the web can be voluntarily given commercial purposes. We present 5 main groups of methods used for user tracking, which are based on sessions, client by the user (e.g., by filling web forms) or it can be collected storage, client cache, fingerprinting, or yet other approaches. indirectly without their knowledge through the analysis of the A special focus is placed on mechanisms that use web caches, IP headers, HTTP requests, queries in search engines, or even operational caches, and fingerprinting, as they are usually very by using JavaScript and Flash programs embedded in web rich in terms of using various creative methodologies.
    [Show full text]
  • Certificate Authority – Registration Authority (Verifies Cert Requests) – Validation Authority (Handles Revocation)
    11. Trust on the Web Blase Ur and David Cash February 5th, 2020 CMSC 23200 / 33250 Overview • Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS) enable secure communication • Frequently encountered with web browsing (HTTPS) and more behind the scenes in app, VOIP, etc. What we want to defend against • People snooping on our communications – The contents of what we’re sending – Session tokens (see, e.g., Firesheep) • Person-in-the-middle attacks – We want to authenticate that we are talking to the right site, not an imposter – Use certificates inside a public-key infrastructure How we could obtain trust • Web of trust – People you already trust introduce you to people they trust – Can get complicated, doesn’t scale well – Infrequently seen in practice • Public-Key Infrastructure (PKI) – Certificates are issued by certificate authorities that bind cryptographic keys to identities Public-Key Infrastucture • Binding of keys to identities – Certificate authority – Registration authority (verifies cert requests) – Validation authority (handles revocation) Image from Wikimedia Foundation What does SSL look like to users? • Compare, e.g., the following: – https://www.google.com (normal certificate) – Go to Google images and then click on an image and see what happens (mixed content) – https://www.thawte.com (EV certificate) What does SSL look like to users? (From Felt et al. SOUPS 2016) How does PKI look to browsers? • Hundreds of trusted certificate authorities – Certificate authorities (CAs) sign the certificates binding
    [Show full text]