论文信息 - Browser's “search form” issues and countermeasures

Browser's “search form” issues and countermeasures

From 2014, we are conducting fixed point observation to crawl SSL/TLS sites using .jp domain URL list extracted from Alexa Top Sites, and investigation on improvement of usage rate of SSL/TLS versions and Export-grade encryption algorithms. Furthermore, paying attention to the server side certificates, since the notation policy of the browser security indicator had recently changed, the green bar is displayed in the URL notation part originally although it uses the EV (Extended Validation) SSL certificate, it is “not safe” though sites that are judged were also found. As a situation similar to this issue, a detailed investigation was conducted on the browser's “search form” issues which are originally described to be safe although it is said to be unsafe due to inadequate site-contents. In this paper, the survey targeted are the websites of regular members belonging to the association which is planning and managing settlement systems of banks and on-line banking login services. We investigated SSL/TLS sites of Top FQDN which are widely announced on paper medium etc, so it was found that about half of them were in normal situation but half had problems such as FQDN mismatch. Moreover we also show the result of manually investigating the influence of the above “search form” issues by carrying out some pattern classification on the path reached from the HTTP (not HTTPS) server of the Top FQDN to the on-line banking login page. Finally, the design guideline of HTTP/HTTPS sites is mentioned as one of countermeasures against this kind of problems.

Yuji Suga

[1] Sunny Consolvo,et al. Rethinking Connection Security Indicators , 2016, SOUPS.

[2] Frank Piessens,et al. All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.

[3] Kenneth G. Paterson,et al. Big Bias Hunting in Amazonia: Large-Scale Computation and Exploitation of RC4 Biases (Invited Paper) , 2014, ASIACRYPT.

[4] Arjen K. Lenstra,et al. Public Keys , 2012, CRYPTO.

[5] Karthikeyan Bhargavan,et al. On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN , 2016, CCS.

[6] Eric Wustrow,et al. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[7] Suga Yuji. Are measures against SSL/TLS sites dependent on the category which that site belongs? -- obtained by crawling of renegotiation functions and RSA key lengths , 2012 .

[8] Yuji Suga. SSL/TLS Status Survey in Japan - Transitioning against the Renegotiation Vulnerability and Short RSA Key Length Problem , 2012, 2012 Seventh Asia Joint Conference on Information Security.