Abstract
By executing a network attack, an attacker is able to eavesdrop on a user’s traffic, or even manipulate the traffic while it is in transit. By itself, the scope of a network attack is limited to inspecting and manipulating traffic on the network. However, this capability often serves as a stepping stone, resulting in an escalation towards impersonating the user, taking control of the user’s browser, etc. In this chapter, we cover three varieties of network attacks. First, we discuss an eavesdropping attack, where the attacker listens in on the traffic being sent. Next, we cover man-in-the-middle attacks, where the attacker can also manipulate the traffic while in transit. Finally, we discuss attacks on the Hypertext Transfer Protocol (HTTPS) protocol, which uses the Transport Layer Security (TLS) to offer certain security guarantees.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aboba, B., Simon, D., Eronen, P.: Extensible authentication protocol (EAP) key management framework. RFC Proposed Standard (RFC 5247) (2008)
AlFardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP) (2013)
AlFardan, N., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.: On the security of RC4 in TLS and WPA. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP) (2013)
Associated Press: New nuclear sub is said to have special eavesdropping ability. http://www.nytimes.com/2005/02/20/politics/20submarine.html?_r=0 (2005)
Bahajji, Z.A., Illyes, G.: Https as a ranking signal. http://googlewebmastercentral.blogspot.be/2014/08/https-as-ranking-signal.html (2014)
Belshe, M., Peon, R.: SPDY protocol. IETF Internet Draft (2012)
Belshe, M., Thomson, M., Melnikov, A., Peon, R.: Hypertext transfer protocol version 2.0. IETF Internet Draft (2014)
Butler, E.: Firesheep. http://codebutler.com/firesheep (2010)
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC Proposed Standard (RFC 5280) (2008)
Dierks, T.: The transport layer security (TLS) protocol version 1.2. RFC 5246 (2008)
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 5246bis (2014)
Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. Tech. rep., DTIC Document (2004)
Duong, T., Rizzo, J.: BEAST—here come the XOR Ninjas. http://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf\hrefhttp://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdfhttp://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf (2011)
Electronic Frontier Foundation: Https everywhere. https://www.eff.org/https-everywhere (2013)
Ettercap Project: Ettercap home page. http://ettercap.github.io/ettercap/ (2013)
Evans, C., Palmer, C., Sleevi, R.: Public key pinning extension for HTTP. IETF Internet Draft (2014)
Farrell, S., Hoffman, P., Thomas, M.: HTTP Origin-Bound Authentication (HOBA). IETF Internet Draft (2014)
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP authentication: basic and digest access authentication. RFC Draft Standard (RFC 2617) (1999)
Friedl, S., Popov, A.: Transport Layer Security (TLS) application layer protocol negotiation extension. RFC Proposed Standard (RFC 7301) (2014)
Gluck, Y., Harris, N., Prado, A.: BREACH: reviving the cRIME attack. http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf\hrefhttp://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdfhttp://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf (2013)
Goland, Y., Whitehead, E., Faizi, A., Carter, S., Jensen, D.: HTTP extensions for distributed authoring—WEBDAV (1999)
Grant, A.C.: Search for trust: an analysis and comparison of CA system alternatives and enhancements (2012)
HAK5: wifi pineapple. https://wifipineapple.com/ (2013)
Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS). RFC Proposed Standard (RFC 6797) (2012)
Hoffman, P., Schlyter, J.: The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. RFC Proposed Standard (RFC 6698) (2012)
Huang, L.S., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged ssl certificates in the wild. In: Proceedings of the 35th IEEE Symposium on Security and Privacy (SP) (2014)
Jackson, C., Barth, A.: ForceHTTPS: protecting high-security web sites from network attacks. In: Proceedings of the 17th International Conference on World Wide Web (WWW), pp. 525–534 (2008)
Langley, A.: Overclocking ssl. https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html (2010)
Langley, A.: ChaCha20 and Poly1305 based Cipher suites for TLS. IETF Internet Draft (2013)
Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC Experimental (RFC 6962) (2013)
Lennon, M.: Hackers exploited heartbleed bug to steal 4.5 million patient records: Report. http://www.securityweek.com/hackers-exploited-heartbleed-bug-steal-45-million-patient-records-report (2014)
Marlinspike, M.: New tricks for defeating ssl in practice. BlackHat DC, February (2009)
Marlinspike, M.: Sslstrip. http://www.thoughtcrime.org/software/sslstrip/ (2009)
Masnick, M.: FLYING PIG: The NSA is running man in the middle attacks imitating Google’s servers. http://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks-imitating-googles-servers.shtml (2013)
Modell, M., Barz, A., Toth, G., Loesch, C.v.: Certificate patrol. https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/ (2014)
Nikiforakis, N., Younan, Y., Joosen, W.: Hproxy: client-side detection of ssl stripping attacks. In: Proceedings of the 7th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pp. 200–218 (2010)
Nottingham, M.: Opportunistic encryption for HTTP URIs. IETF Internet Draft (2014)
Prins, J.: Diginotar certificate authority breach—'operation black tulip`. Fox-IT (2011)
Qualys: Qualys SSL labs. https://www.ssllabs.com/ (2014)
Qualys: Trustworthy internet movement—ssl pulse. https://www.trustworthyinternet.org/ssl-pulse/ (2014)
Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport layer security (TLS) renegotiation indication extension. RFC Proposed Standard (RFC 5746) (2010)
Ristić, I.: OpenSSL cookbook. Feisty Duck (2013)
Ristić, I.: Bulletproof SSL and TLS. Feisty Duck (2014)
Rizzo, J., Duong, T.: The CRIME Attack. https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit?pli=1#slide=id.g1d134dff_1_222(2012)
Roberts, P.: Infographic:Aheartbleed disclosure timeline (secunia). https://securityledger.com/2014/06/infographic-a-heartbleed-disclosure-timeline-secunia/ (2014)
Schneier, B.: Hearbleed. https://www.schneier.com/blog/archives/2014/04/heartbleed.html (2014)
Schoen, S., Galperin, E.: Iranian man-in-the-middle attack against google demonstrates dangerous weakness of certificate authorities. https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google (2011)
Sheffer, Y., Holz, R., Saint-Andre, P.: Recommendations for secure use of TLS and DTLS. IETF Internet Draft (2014)
Song, D.: dsniff. http://www.monkey.org/ dugsong/dsniff/ (2000)
The Guardian: Edward Snowden. http://www.theguardian.com/world/edward-snowden (2013)
The H Security: trustwave issued a man-in-the-middle certificate. http://h-online.com/-1429982 (2012)
Toussain, M., Shields, C.: Subterfuge. http://kinozoa.com/blog/subterfuge-documentation/ (2013)
W3Techs: Usage statistics and makert share of ssl certificate authorities for websites, august 2014. http://w3techs.com/technologies/overview/ssl_certificate/all (2014)
Wi-Fi Alliance: Wi-Fi protected access: strong, standards-based, interoperable security for today’s Wi-Fi networks. http://www.ans-vb.com/Docs/Whitepaper_Wi-Fi_Security4-29-03.pdf (2003)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns
About this chapter
Cite this chapter
Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the Network. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-12226-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12225-0
Online ISBN: 978-3-319-12226-7
eBook Packages: Computer ScienceComputer Science (R0)