Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
The result's identifiers
Result code in IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14330%2F19%3A00107250" target="_blank" >RIV/00216224:14330/19:00107250 - isvavai.cz</a>
Result on the web
<a href="https://www.computer.org/csdl/proceedings-article/sp/2019/666000a948/19skg7hRywM" target="_blank" >https://www.computer.org/csdl/proceedings-article/sp/2019/666000a948/19skg7hRywM</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.1109/SP.2019.00053" target="_blank" >10.1109/SP.2019.00053</a>
Alternative languages
Result language
angličtina
Original language name
Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
Original language description
HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem.
Czech name
—
Czech description
—
Classification
Type
D - Article in proceedings
CEP classification
—
OECD FORD branch
10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)
Result continuities
Project
<a href="/en/project/GA16-08565S" target="_blank" >GA16-08565S: Advancing cryptanalytic methods through evolutionary computing</a><br>
Continuities
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)<br>S - Specificky vyzkum na vysokych skolach
Others
Publication year
2019
Confidentiality
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Data specific for result type
Article name in the collection
Proceedings of the 40th IEEE Symposium on Security and Privacy
ISBN
9781538666609
ISSN
1081-6011
e-ISSN
—
Number of pages
18
Pages from-to
281-298
Publisher name
IEEE
Place of publication
San Fransisco, CA, US
Event location
San Francisco, CA
Event date
May 20, 2019
Type of event by nationality
WRD - Celosvětová akce
UT code for WoS article
000510006100017