Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning

[1]  Björn Stierand,et al.  Content Security Policy , 2016 .

[2]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[3]  Zhenkai Liang,et al.  I Know Where You've Been: Geo-Inference Attacks via the Browser Cache , 2015, IEEE Internet Computing.

[4]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[5]  Srdjan Capkun,et al.  On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications , 2014, USENIX Security Symposium.

[6]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[7]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.

[8]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[10]  Phillip M. Hallam-Baker,et al.  DNS Certification Authority Authorization (CAA) Resource Record , 2019, RFC.

[11]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[12]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[13]  Ben Stock,et al.  Eradicating DNS Rebinding with the Extended Same-origin Policy , 2013, USENIX Security Symposium.

[14]  Dirk Balfanz,et al.  Transport Layer Security (TLS) Channel IDs , 2013 .

[15]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[16]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[17]  Patrick Traynor,et al.  Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties , 2012, ESORICS.

[18]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[19]  Dan S. Wallach,et al.  Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web , 2012, USENIX Security Symposium.

[20]  Paul E. Hoffman,et al.  The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[21]  Jörg Schwenk,et al.  UI Redressing Attacks on Android Devices , 2012 .

[22]  Lightweight Integrity Protection for Web Storage-driven Content Caching , 2012 .

[23]  Amit Klein Web Cache Poisoning Attacks , 2011, Encyclopedia of Cryptography and Security.

[24]  E. Chen,et al.  Talking to Yourself for Fun and Profit , 2011 .

[25]  Franco Callegati,et al.  Splitting the HTTPS Stream to Attack Secure Web Connections , 2010, IEEE Security & Privacy.

[26]  Dan Boneh,et al.  An Analysis of Private Browsing Modes in Modern Browsers , 2010, USENIX Security Symposium.

[27]  Christopher Krügel,et al.  A Practical Attack to De-anonymize Social Network Users , 2010, 2010 IEEE Symposium on Security and Privacy.

[28]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[29]  Ming Zhang,et al.  Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[30]  Amir Herzberg Why Johnny can't surf (safely)? Attacks and defenses for web users , 2009, Comput. Secur..

[31]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[32]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[33]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[34]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[35]  Markus Jakobsson,et al.  Invasive browser sniffing and countermeasures , 2006, WWW '06.

[36]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[37]  Sean W. Smith,et al.  Keyjacking: the surprising insecurity of client-side SSL , 2005, Comput. Secur..

[38]  Aggelos Kiayias,et al.  Advances in Cryptology - EUROCRYPT 2004 , 2004 .

[39]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[40]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[41]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.