Skip to main content
SpringerLink
Log in

On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2018)

  • 756 Accesses

Abstract

Most modern web browsers today sacrifice optimal TLS security for backward compatibility. They apply coarse-grained TLS configurations that support (by default) legacy versions of the protocol that have known design weaknesses, and weak ciphersuites that provide fewer security guarantees (e.g. non Forward Secrecy), and silently fall back to them if the server selects to. This introduces various risks including downgrade attacks such as the POODLE attack [15] that exploits the browsers silent fallback mechanism to downgrade the protocol version in order to exploit the legacy version flaws. To achieve a better balance between security and backward compatibility, we propose a mechanism for fine-grained TLS configurations in web browsers based on the sensitivity of the domain name in the HTTPS request using a whitelisting technique. That is, the browser enforces optimal TLS configurations for connections going to sensitive domains while enforcing default configurations for the rest of the connections. We demonstrate the feasibility of our proposal by implementing a proof-of-concept as a Firefox browser extension. We envision this mechanism as a built-in security feature in web browsers, e.g. a button similar to the “Bookmark” button in Firefox browsers and as a standardised HTTP header, to augment browsers security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    TLS 1.2 and TLS 1.3 ciphersuite strings have different format and define different set of algorithms. See [8] and [20] for more details.

  2. 2.

    In our paper, TLS clients are represented by web browsers. We will use the terms client, web browser, or browser interchangeably.

  3. 3.

    In our context, non-AE refers to ciphersuites that do not provide confidentiality, integrity, and authenticity simultaneously. For example the CBC MAC-then-encrypt ciphersuites which are susceptible to padding oracle attacks [25, 28].

  4. 4.

    Throughout the paper, mainstream browsers refer to the following tested versions: Chrome version 63.0.3239.108, Firefox 57.0.2, Internet Explorer 11.125.16299.0, Edge 41.16299.15.0, and Opera 49.0.2725.64.

  5. 5.

    Extended Validation is a passive browser indicator that appears in the address bar only for websites which have strongly verified identity.

  6. 6.

    A proxy (also known as middlebox) is an entity that can be placed between a client and server for various purposes such as interception or packet inspection. It splits the TLS connection between the client and server so that the client and server are in fact connecting to the proxy and not directly to each other.

  7. 7.

    We hypothetically and proactively assume TLS 1.3 is the highest version in our TLS policy levels’ definitions. This will be the case when TLS 1.3 becomes a standard soon. However, in practice (and in our proof-of-concept) the highest possible version is still TLS 1.2.

References

  1. Public key pinning extension for HTTP (2015). https://www.rfc-editor.org/rfc/rfc7469.txt

  2. HSTS preloaded list submission (2017). https://hstspreload.org/

  3. Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of Conference on Computer and Communications Security (CCS 2015), pp. 5–17 (2015)

    Google Scholar 

  4. Akhawe, D., Felt, A.P.: Alice in warningland: a large-scale field study of browser security warning effectiveness. In: Proceedings of USENIX Security Symposium, pp. 257–272 (2013)

    Google Scholar 

  5. Aviram, N., et al.: DROWN: breaking TLS using SSLv2. In: Proceedings of USENIX Security Symposium, pp. 689–706 (2016)

    Google Scholar 

  6. Beurdouche, B., et al.: A messy state of the union: taming the composite state machines of TLS. In: Proceedings of IEEE Symposium on Security and Privacy (SP), pp. 535–552 (2015)

    Google Scholar 

  7. Beurdouche, B., Delignat-Lavaud, A., Kobeissi, N., Pironti, A., Bhargavan, K.: FLEXTLS a tool for testing TLS implementations. In: Proceedings of 9th USENIX Workshop on Offensive Technologies (WOOT) (2014)

    Google Scholar 

  8. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2 (2008). https://tools.ietf.org/html/rfc5246

  9. Eastlake, D.: Domain name system security extensions (1999). https://tools.ietf.org/html/rfc2535

  10. Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of Human Factors in Computing Systems (SIGCHI), pp. 1065–1074 (2008)

    Google Scholar 

  11. Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS) (2012). https://tools.ietf.org/html/rfc6797

  12. Jackson, C., Barth, A.: ForceHTTPS: protecting high-security web sites from network attacks. In: Proceedings of 17th International Conference on World Wide Web (WWW 2008), pp. 525–534 (2008)

    Google Scholar 

  13. Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_27

    Chapter  Google Scholar 

  14. Mockapetris, P.: Domain names - implementation and specification (1987). https://www.ietf.org/rfc/rfc1035.txt

  15. Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback (2014). https://www.openssl.org/~bodo/ssl-poodle.pdf

  16. Mozilla: Add-on SDK (2017). https://developer.mozilla.org/en-US/Add-ons/SDK

  17. Mozilla: Browser extensions (2017). https://developer.mozilla.org/en-US/Add-ons/WebExtensions

  18. Popov, A.: Prohibiting RC4 cipher suites (2015). https://tools.ietf.org/html/rfc7465

  19. Reeder, R., Felt, A.P., Consolvo, S., Malkin, N., Thompson, C., Egelman, S.: An experience sampling study of user reactions to browser warnings in the field. In: Proceedings of ACM CHI Conference in Human Factors on Computing Systems (2018)

    Google Scholar 

  20. Rescorla, E.: The transport layer security (TLS) protocol version 1.3 draft-ietf-tls-tls13-24 (2018). https://tools.ietf.org/html/draft-ietf-tls-tls13-24

  21. Samarasinghe, N., Mannan, M.: Short paper: TLS ecosystems in networked devices vs. web servers. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 533–541. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_30

    Chapter  Google Scholar 

  22. Schechter, S.: Storing HTTP security requirements in the domain name system (2007). https://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/att-0332/http-ssr.html

  23. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperors new security indicators. In: Proceedings of IEEE Symposium on Security and Privacy (SP), pp. 51–65 (2007)

    Google Scholar 

  24. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of 19th International Conference on World Wide Web (WWW 2010), pp. 921–930 (2010)

    Google Scholar 

  25. Sullivan, N.: Padding oracles and the decline of CBC-mode cipher suites (2016). https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/

  26. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: Proceedings of USENIX Security Symposium, pp. 399–416 (2009)

    Google Scholar 

  27. Szalachowski, P., Matsumoto, S., Perrig, A.: PoliCert: secure and flexible TLS certificate management. In: Proceedings of Conference on Computer and Communications Security (CCS), pp. 406–417 (2014)

    Google Scholar 

  28. Vaudenay, S.: Security flaws induced by CBC padding—applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_35

    Chapter  Google Scholar 

  29. Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of Human Factors in Computing Systems (SIGCHI), pp. 601–610 (2006)

    Google Scholar 

Download references

Acknowledgment

The authors would like to thank Prof. Karthikeyan Bhargavan and Prof. Andrew Martin for useful feedback, Nicholas Moore for useful discussions on javascript, William Seymour and John Gallacher for proofreading.

Author information

Authors and Affiliations

  1. University of Oxford, Oxford, UK

    Eman Salem Alashwali & Kasper Rasmussen

  2. King Abdulaziz University (KAU), Jeddah, Saudi Arabia

    Eman Salem Alashwali

Authors
  1. Eman Salem Alashwali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kasper Rasmussen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eman Salem Alashwali .

Editor information

Editors and Affiliations

  1. Klaus Advanced Computing Building, Georgia Institute of Technology, Atlanta, GA, USA

    Raheem Beyah

  2. Singapore Management University, Singapore, Singapore

    Bing Chang

  3. School of Information Systems, Singapore Management University, Singapore, Singapore

    Yingjiu Li

  4. Pennsylvania State University, University Park, PA, USA

    Sencun Zhu

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alashwali, E.S., Rasmussen, K. (2018). On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01704-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01703-3

  • Online ISBN: 978-3-030-01704-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation