Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem

HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem.

[1]  Hervé Debar,et al.  TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS , 2015, AsiaCCS.

[2]  Adrienne Porter Felt,et al.  Measuring HTTPS Adoption on the Web , 2017, USENIX Security Symposium.

[3]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[4]  J. Alex Halderman,et al.  Measuring the Security Harm of TLS Crypto Shortcuts , 2016, Internet Measurement Conference.

[5]  Hao Zhou,et al.  Transport Layer Security (TLS) Session Resumption without Server-Side State , 2008, RFC.

[6]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Jörg Schwenk,et al.  Scriptless attacks: Stealing more pie without touching the sill , 2014, J. Comput. Secur..

[8]  Adam Barth,et al.  HTTP State Management Mechanism , 2011, RFC.

[9]  Mohammad Mannan,et al.  Killed by Proxy: Analyzing Client-end TLS Interce , 2016, NDSS.

[10]  BhargavanKarthikeyan,et al.  Imperfect forward secrecy , 2018 .

[11]  Wouter Joosen,et al.  Large-Scale Security Analysis of the Web: Challenges and Findings , 2014, TRUST.

[12]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[13]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[14]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[15]  Peter Saint-Andre,et al.  Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS) , 2015, RFC.

[16]  Aleksander Essex,et al.  Indiscreet Logs: Diffie-Hellman Backdoors in TLS , 2017, NDSS.

[17]  Graham Steel,et al.  Efficient Padding Oracle Attacks on Cryptographic Hardware , 2012, IACR Cryptol. ePrint Arch..

[18]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[19]  Ping Chen,et al.  A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites , 2013, ISC.

[20]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[21]  Kenneth G. Paterson,et al.  Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS , 2015, USENIX Security Symposium.

[22]  Edward W. Felten,et al.  Cookies That Give You Away: The Surveillance Implications of Web Tracking , 2015, WWW.

[23]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[24]  Michele Bugliesi,et al.  CookiExt: Patching the browser against session hijacking attacks , 2015, J. Comput. Secur..

[25]  Elaine B. Barker Digital Signature Standard (DSS) [includes Change Notice 1 from 12/30/1996] | NIST , 1994 .

[26]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[27]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[28]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[29]  Michele Bugliesi,et al.  Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild , 2016, CCS.

[30]  Nadia Heninger,et al.  Weak Keys Remain Widespread in Network Devices , 2016, Internet Measurement Conference.

[31]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[32]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[33]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[34]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[35]  Burton S. Kaliski,et al.  PKCS #1: RSA Encryption Version 1.5 , 1998, RFC.

[36]  Amr M. Youssef,et al.  To Intercept or Not to Intercept: Analyzing TLS Interception in Network Appliances , 2018, AsiaCCS.

[37]  Juraj Somorovsky,et al.  Systematic Fuzzing and Testing of TLS Libraries , 2016, CCS.

[38]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[39]  Joseph Bonneau,et al.  Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[40]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[41]  Bruce Schneier,et al.  Secrets and lies - digital security in a networked world: with new information about post-9/11 security , 2004 .

[42]  Bodo Möller,et al.  TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks , 2015, RFC.

[43]  Mohamed Ali Kâafar,et al.  TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication , 2015, NDSS.

[44]  Joeri de Ruiter,et al.  Protocol State Fuzzing of TLS Implementations , 2015, USENIX Security Symposium.

[45]  Vitaly Shmatikov,et al.  The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites , 2013, NDSS.

[46]  Riccardo Focardi,et al.  Surviving the Web , 2017 .

[47]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[48]  Jian Jiang,et al.  Cookies Lack Integrity: Real-World Implications , 2015, USENIX Security Symposium.

[49]  J. Alex Halderman,et al.  Measuring small subgroup attacks against Diffie-Hellman , 2017, NDSS.

[50]  Sebastian Lekies,et al.  CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy , 2016, CCS.

[51]  Olivier Levillain,et al.  A study of the TLS ecosystem , 2016 .

[52]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[53]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[54]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[55]  Khawaja Amer Hayat,et al.  Password Interception in a SSL/TLS Channel , 2004 .

[56]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[57]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[58]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[59]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[60]  Edgar R. Weippl,et al.  "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS , 2017, USENIX Security Symposium.

[61]  Kenneth G. Paterson,et al.  Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure , 2018, IACR Cryptol. ePrint Arch..

[62]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[63]  Renegotiating TLS , 2009 .

[64]  Karthikeyan Bhargavan,et al.  On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN , 2016, CCS.

[65]  John Kelsey,et al.  Compression and Information Leakage of Plaintext , 2002, FSE.

[66]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[67]  Thorsten Holz,et al.  Crouching tiger - hidden payload: security risks of scalable vectors graphics , 2011, CCS '11.

[68]  Adi Shamir,et al.  The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[69]  Angelos D. Keromytis,et al.  The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[70]  Michele Bugliesi,et al.  A Supervised Learning Approach to Protect Client Authentication on the Web , 2015, ACM Trans. Web.

[71]  Nick Sullivan,et al.  In Search of CurveSwap: Measuring Elliptic Curve Implementations in the Wild , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[72]  Karthikeyan Bhargavan,et al.  Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH , 2016, NDSS.

[73]  Michele Bugliesi,et al.  Semantics-Based Analysis of Content Security Policy Deployment , 2018, ACM Trans. Web.

[74]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[75]  J. Alex Halderman,et al.  Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security , 2015, Internet Measurement Conference.

[76]  J. Alex Halderman,et al.  Towards a Complete View of the Certificate Ecosystem , 2016, Internet Measurement Conference.

[77]  Jörg Schwenk,et al.  SoK: Lessons Learned from SSL/TLS Attacks , 2013, WISA.

[78]  Amichai Shulman A Perfect CRIME? Only TIME Will Tell , 2013 .

[79]  Juraj Somorovsky,et al.  Return Of Bleichenbacher's Oracle Threat (ROBOT) , 2018, IACR Cryptol. ePrint Arch..