Analysis and Research on HTTPS Hijacking Attacks

With the development of e-commerce, SSL protocol is more and more widely applied to various network services. For the defect of SSL authentication, this paper analyses two kinds of drawbacks in SSL handshake, and respectively conducts fake certificate and conversion from HTTPS to HTTP data to attack. Both of them are dangerous to HTTPS communication. For that reason, we have proposed three different measures to strengthen data security, which are static ARP table, enhanced certificate system, and two-way authentication. Experimental results show that three methods are effectively defensive against the HTTPS hijacking attacks.

[1]  Peter Burkholder SSL Man-in-the-Middle Attacks , 2009 .

[2]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[3]  Somnuk Puangpronpitag,et al.  An efficient and feasible solution to ARP Spoof problem , 2009, 2009 6th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology.

[4]  José Carlos Brustoloni,et al.  Hardening Web browsers against man-in-the-middle and eavesdropping attacks , 2005, WWW '05.

[5]  Jörg Schwenk,et al.  Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures , 2005, ISPEC.

[6]  Thawatchai Chomsiri HTTPS Hacking Protection , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).