Contributions to Proceedings:
S. Calzavara, R. Focardi, M. Nemec, A. Rabitti, M. Squarcina:
"Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem";
in: "2019 IEEE Symposium on Security and Privacy (SP)",
issued by: IEEE;
HTTPS aims at securing communication over theWeb by providing a cryptographic protection layer that ensuresthe confidentiality and integrity of communication and enablesclient/server authentication. However, HTTPS is based on theSSL/TLS protocol suites that have been shown to be vulnerableto various attacks in the years. This has required fixes andmitigations both in the servers and in the browsers, producing acomplicated mixture of protocol versions and implementations inthe wild, which makes it unclear which attacks are still effectiveon the modern Web and what is their import on web applicationsecurity. In this paper, we present the first systematic quantitativeevaluation of web application insecurity due to cryptographicvulnerabilities. We specify attack conditions against TLS usingattack trees and we crawl the Alexa Top 10k to assess the importof these issues onpage integrity,authentication credentialsandweb tracking. Our results show that the security of a consistentnumber of websites is severely harmed by cryptographic weak-nesses that, in many cases, are due to external or related-domainhosts. This empirically, yet systematically demonstrates how arelatively limited number of exploitable HTTPS vulnerabilitiesare amplified by the complexity of the web ecosystem.
HTTPS; TLS; Measurement; Web; Vulnerability-scan
"Official" electronic version of the publication (accessed through its Digital Object Identifier - DOI)
Electronic version of the publication:
Created from the Publication Database of the Vienna University of Technology.