Abstract
Web servers provide immunity against Man In The Middle (MITM) attacks and eavesdropping by using HTTP Strict Transport Security (HSTS) to force user agents to communicate only over HTTPS connections. However, the initial connection request from a user is made over an insecure HTTP connection. This issue was addressed by user agents; Google Chrome and Firefox, implicitly, by including a static list of URLs to be accessed only over secure HTTPS connections. Since, these user agents maintain their lists independently, the URLs used by one user agent are invisible to another. A user is prone to MITM attacks, especially in public hotspot environments, when accessing a URL present in the list of secure URLs of one browser but not in another, since the initial handshake from that user agent is insecure. Attacks can be initiated by modifying the outgoing HTTP packets and also the HTTPS response packets from the webserver. This motivated us to propose a solution independent of user agents, by merging the static URL lists of different user agents and enforcing HTTPS for all those URLs. In this paper, we propose a solution, SHSHTTPS Enforcer that introduces a local daemon to enforce URL redirection before the request flows out of the client for the URLs in a list compiled from multiple sources. The proposed solution has been demonstrated through a prototype implementation of the Squid Proxy server as our local daemon. The experiment was conducted by providing a URL, which was not present in one browser's list but was present in another browser's list. It was evident that SHS-HTTPS Enforcer enforced HTTPS successfully and MITM attacks were prevented.
- R. Fielding, J. Gettys, J. Mogul, Henrik Frystyk, L. Masinter, P. Leach, T. Berners-Lee, "RFC 2616: Hypertext Transfer Protocol - HTTP/1.1", IETF, RFC 2616, June 1999. Google ScholarDigital Library
- Liguo, Y., and A. Mishra (2010) Risk Analysis of Global Software Development and Proposed Solutions. Automatika, 51(1), 89--98.Google ScholarCross Ref
- Ardimento, P., Cimitile, M., Visaggio, G. (2013): Distributed Software Development with Knowledge Experience Packages, OTM 2013 Workshops, Graz, Austria, September 9-13, 2013, Y.T. Demey, and H. Panetto (Eds.), LNCS 8186, 263--273.Google ScholarCross Ref
- Criado, J., Iribarne, L., Padilla, N. (2013): Resolving Platform Specific Models at runtime using an MDE-based Trading approach. OTM 2013 Workshops, Graz, Austria, September 9-13, 2013, Y.T. Demey, and H. Panetto (Eds.), LNCS 8186, 274--283.Google ScholarCross Ref
- Mishra, A., and Mishra, D. (2013): Software Architecture in Distributed Software Development: A Review, OTM 2013 Workshops, Graz, Austria, September 9-13, 2013, Y.T. Demey, and H. Panetto (Eds.), LNCS 8186, 284--291.Google ScholarCross Ref
- Raj, A, Barrett, S., Clarke, S. (2013): Run-time Root Cause Analysis in Adaptive Distributed Systems, OTM 2013 Workshops, Graz, Austria, September 9-13, 2013, Y.T. Demey, and H. Panetto (Eds.), LNCS 8186, 292--301.Google ScholarCross Ref
- Mishra, D., Mishra, A., Palacios, R.C. and Casado-Lumbreras, C. (2013): Global Software Development and Quality Management: A Systematic Review, OTM 2013 Workshops, Graz, Austria, September 9-13, 2013, Y.T. Demey, and H. Panetto (Eds.), LNCS 8186, 302--311.Google ScholarCross Ref
- Kääriäinen, J., Teppola, S. and Välimäki, A. (2013): Building a Concept Solution for Upgrade Planning in the Automation Industry, OTM 2013 Workshops, Graz, Austria, September 9-13, 2013, Y.T. Demey, and H. Panetto (Eds.), LNCS 8186, 312--321.Google Scholar
- Decker, H., and Muñoz-Escoí, F.D. (2013): Inconsistency-tolerant Business Rules in Distributed Information Systems. OTM 2013 Workshops, Graz, Austria, September 9-13, 2013, Y.T. Demey, and H. Panetto (Eds.), LNCS 8186, 322--331.Google ScholarCross Ref
- Taweel, A., Garcia, E. Miles, S., Luck, M (2013): Agent-Oriented Software Engineering (AOSE) of Distributed eHealth Systems, OTM 2013 Workshops, Graz, Austria, September 9-13, 2013, Y.T. Demey, and H. Panetto (Eds.), LNCS 8186, 332--341.Google Scholar
Index Terms
- SHS-HTTPS enforcer: enforcing HTTPS and preventing MITM attacks
Recommendations
HTTPS: a Phishing Attack in a Network
ICICM '17: Proceedings of the 7th International Conference on Information Communication and ManagementIn this paper, we discuss the possibility of finding phishing attacks even in cases where the victim sees in their web browser, the same URL as the legitimate website with the padlock and the HTTPS certificate. This attack is not easy to detect due to ...
Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments
SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and PrivacyHTTPS is designed to provide secure web communications over insecure networks. The protocol itself has been rigorously designed and evaluated by assuming the network as an adversary. This paper is motivated by our curiosity about whether such an ...
Security Implications of Redirection Trail in Popular Websites Worldwide
WWW '17: Proceedings of the 26th International Conference on World Wide WebURL redirection is a popular technique that automatically navigates users to an intended destination webpage with- out user awareness. However, such a seemingly advantageous feature may offer inadequate protection from security vulnerabilities unless ...
Comments