论文信息 - Implementation State of HSTS and HPKP in Both Browsers and Servers

Implementation State of HSTS and HPKP in Both Browsers and Servers

HSTS and HPKP are relatively recent protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification, as well as ensuring as far as possible that the connection is always secure. However, the adoption and implementation of any protocol that is not yet completely settled, usually involves the possibility of introducing new weaknesses, opportunities or attack scenarios. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this document, we have studied the quantity and the quality of the implementation both in servers and in most popular browsers and discovered some possible attack scenarios.

[1] Joseph Bonneau,et al. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[2] Adrian Perrig,et al. Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[3] Alfredo Pironti,et al. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[4] Dan Boneh,et al. The State of HSTS Deployment: A Survey and Common Pitfalls , 2014 .

[5] Zhenkai Liang,et al. Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning , 2015, Computers & security.