HSTS Measurement and an Enhanced Stripping Attack Against HTTPS

HTTPS has played a significant role in the Internet world. HSTS is deployed to ensure the proper running of HTTPS. To get a good understanding of the deployment of HSTS, we conducted an in-depth measurement of the deployment of HSTS among Alexa top 1 million sites, and investigated bookmarks and navigation panels in different browsers. We found five types of threats, including transmission errors, redirection errors, field setting errors, the auto completion mechanism in bookmarks and the embedded addresses in navigation panels. To demonstrate defects we found, we designed an enhanced HTTPS stripping attack, which was upgraded from the original sslstrip attack. Finally, we gave three effective suggestions to eliminate these defects. This paper exposed various risks of HTTPS and HSTS, making it possible to deploy HTTPS and HSTS in a more secure way.

[1]  Ming Zhang,et al.  Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Mohammad Mannan,et al.  Killed by Proxy: Analyzing Client-end TLS Interce , 2016, NDSS.

[3]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[4]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[5]  Bruce M. Maggs,et al.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem , 2016, CCS.

[6]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[7]  Adrian Perrig,et al.  PoliCert: Secure and Flexible TLS Certificate Management , 2014, CCS.

[8]  Ding Wang,et al.  A New Scheme with Secure Cookie against SSLStrip Attack , 2012, WISM.

[9]  Kevin R. B. Butler,et al.  Forced Perspectives: Evaluating an SSL Trust Enhancement at Scale , 2014, Internet Measurement Conference.

[10]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[11]  Felix Brezo,et al.  Implementation State of HSTS and HPKP in Both Browsers and Servers , 2016, CANS.

[12]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[13]  Angelos D. Keromytis,et al.  The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[14]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper) , 2011, Financial Cryptography.

[15]  Joseph Bonneau,et al.  Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[16]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[17]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.