Skip to main content
SpringerLink
Log in

Attacks on the Network

  • Chapter
  • First Online:
Primer on Client-Side Web Security

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

  • 1141 Accesses

Abstract

By executing a network attack, an attacker is able to eavesdrop on a user’s traffic, or even manipulate the traffic while it is in transit. By itself, the scope of a network attack is limited to inspecting and manipulating traffic on the network. However, this capability often serves as a stepping stone, resulting in an escalation towards impersonating the user, taking control of the user’s browser, etc. In this chapter, we cover three varieties of network attacks. First, we discuss an eavesdropping attack, where the attacker listens in on the traffic being sent. Next, we cover man-in-the-middle attacks, where the attacker can also manipulate the traffic while in transit. Finally, we discuss attacks on the Hypertext Transfer Protocol (HTTPS) protocol, which uses the Transport Layer Security (TLS) to offer certain security guarantees.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 16.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aboba, B., Simon, D., Eronen, P.: Extensible authentication protocol (EAP) key management framework. RFC Proposed Standard (RFC 5247) (2008)

    Google Scholar 

  2. AlFardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP) (2013)

    Google Scholar 

  3. AlFardan, N., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.: On the security of RC4 in TLS and WPA. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP) (2013)

    Google Scholar 

  4. Associated Press: New nuclear sub is said to have special eavesdropping ability. http://www.nytimes.com/2005/02/20/politics/20submarine.html?_r=0 (2005)

  5. Bahajji, Z.A., Illyes, G.: Https as a ranking signal. http://googlewebmastercentral.blogspot.be/2014/08/https-as-ranking-signal.html (2014)

  6. Belshe, M., Peon, R.: SPDY protocol. IETF Internet Draft (2012)

    Google Scholar 

  7. Belshe, M., Thomson, M., Melnikov, A., Peon, R.: Hypertext transfer protocol version 2.0. IETF Internet Draft (2014)

    Google Scholar 

  8. Butler, E.: Firesheep. http://codebutler.com/firesheep (2010)

  9. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC Proposed Standard (RFC 5280) (2008)

    Google Scholar 

  10. Dierks, T.: The transport layer security (TLS) protocol version 1.2. RFC 5246 (2008)

    Google Scholar 

  11. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 5246bis (2014)

    Google Scholar 

  12. Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. Tech. rep., DTIC Document (2004)

    Google Scholar 

  13. Duong, T., Rizzo, J.: BEAST—here come the XOR Ninjas. http://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf\hrefhttp://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdfhttp://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf (2011)

  14. Electronic Frontier Foundation: Https everywhere. https://www.eff.org/https-everywhere (2013)

  15. Ettercap Project: Ettercap home page. http://ettercap.github.io/ettercap/ (2013)

  16. Evans, C., Palmer, C., Sleevi, R.: Public key pinning extension for HTTP. IETF Internet Draft (2014)

    Google Scholar 

  17. Farrell, S., Hoffman, P., Thomas, M.: HTTP Origin-Bound Authentication (HOBA). IETF Internet Draft (2014)

    Google Scholar 

  18. Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP authentication: basic and digest access authentication. RFC Draft Standard (RFC 2617) (1999)

    Google Scholar 

  19. Friedl, S., Popov, A.: Transport Layer Security (TLS) application layer protocol negotiation extension. RFC Proposed Standard (RFC 7301) (2014)

    Google Scholar 

  20. Gluck, Y., Harris, N., Prado, A.: BREACH: reviving the cRIME attack. http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf\hrefhttp://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdfhttp://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf (2013)

  21. Goland, Y., Whitehead, E., Faizi, A., Carter, S., Jensen, D.: HTTP extensions for distributed authoring—WEBDAV (1999)

    Google Scholar 

  22. Grant, A.C.: Search for trust: an analysis and comparison of CA system alternatives and enhancements (2012)

    Google Scholar 

  23. HAK5: wifi pineapple. https://wifipineapple.com/ (2013)

  24. Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS). RFC Proposed Standard (RFC 6797) (2012)

    Google Scholar 

  25. Hoffman, P., Schlyter, J.: The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. RFC Proposed Standard (RFC 6698) (2012)

    Google Scholar 

  26. Huang, L.S., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged ssl certificates in the wild. In: Proceedings of the 35th IEEE Symposium on Security and Privacy (SP) (2014)

    Google Scholar 

  27. Jackson, C., Barth, A.: ForceHTTPS: protecting high-security web sites from network attacks. In: Proceedings of the 17th International Conference on World Wide Web (WWW), pp. 525–534 (2008)

    Google Scholar 

  28. Langley, A.: Overclocking ssl. https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html (2010)

  29. Langley, A.: ChaCha20 and Poly1305 based Cipher suites for TLS. IETF Internet Draft (2013)

    Google Scholar 

  30. Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC Experimental (RFC 6962) (2013)

    Google Scholar 

  31. Lennon, M.: Hackers exploited heartbleed bug to steal 4.5 million patient records: Report. http://www.securityweek.com/hackers-exploited-heartbleed-bug-steal-45-million-patient-records-report (2014)

  32. Marlinspike, M.: New tricks for defeating ssl in practice. BlackHat DC, February (2009)

    Google Scholar 

  33. Marlinspike, M.: Sslstrip. http://www.thoughtcrime.org/software/sslstrip/ (2009)

  34. Masnick, M.: FLYING PIG: The NSA is running man in the middle attacks imitating Google’s servers. http://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks-imitating-googles-servers.shtml (2013)

  35. Modell, M., Barz, A., Toth, G., Loesch, C.v.: Certificate patrol. https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/ (2014)

  36. Nikiforakis, N., Younan, Y., Joosen, W.: Hproxy: client-side detection of ssl stripping attacks. In: Proceedings of the 7th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pp. 200–218 (2010)

    Google Scholar 

  37. Nottingham, M.: Opportunistic encryption for HTTP URIs. IETF Internet Draft (2014)

    Google Scholar 

  38. Prins, J.: Diginotar certificate authority breach—'operation black tulip`. Fox-IT (2011)

    Google Scholar 

  39. Qualys: Qualys SSL labs. https://www.ssllabs.com/ (2014)

  40. Qualys: Trustworthy internet movement—ssl pulse. https://www.trustworthyinternet.org/ssl-pulse/ (2014)

  41. Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport layer security (TLS) renegotiation indication extension. RFC Proposed Standard (RFC 5746) (2010)

    Google Scholar 

  42. Ristić, I.: OpenSSL cookbook. Feisty Duck (2013)

    Google Scholar 

  43. Ristić, I.: Bulletproof SSL and TLS. Feisty Duck (2014)

    Google Scholar 

  44. Rizzo, J., Duong, T.: The CRIME Attack. https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit?pli=1#slide=id.g1d134dff_1_222(2012)

  45. Roberts, P.: Infographic:Aheartbleed disclosure timeline (secunia). https://securityledger.com/2014/06/infographic-a-heartbleed-disclosure-timeline-secunia/ (2014)

  46. Schneier, B.: Hearbleed. https://www.schneier.com/blog/archives/2014/04/heartbleed.html (2014)

  47. Schoen, S., Galperin, E.: Iranian man-in-the-middle attack against google demonstrates dangerous weakness of certificate authorities. https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google (2011)

  48. Sheffer, Y., Holz, R., Saint-Andre, P.: Recommendations for secure use of TLS and DTLS. IETF Internet Draft (2014)

    Google Scholar 

  49. Song, D.: dsniff. http://www.monkey.org/ dugsong/dsniff/ (2000)

  50. The Guardian: Edward Snowden. http://www.theguardian.com/world/edward-snowden (2013)

  51. The H Security: trustwave issued a man-in-the-middle certificate. http://h-online.com/-1429982 (2012)

  52. Toussain, M., Shields, C.: Subterfuge. http://kinozoa.com/blog/subterfuge-documentation/ (2013)

  53. W3Techs: Usage statistics and makert share of ssl certificate authorities for websites, august 2014. http://w3techs.com/technologies/overview/ssl_certificate/all (2014)

  54. Wi-Fi Alliance: Wi-Fi protected access: strong, standards-based, interoperable security for today’s Wi-Fi networks. http://www.ans-vb.com/Docs/Whitepaper_Wi-Fi_Security4-29-03.pdf (2003)

Download references

Author information

Authors and Affiliations

  1. iMinds-DistriNet, KU Leuven, Heverlee, Belgium

    Philippe De Ryck, Lieven Desmet & Frank Piessens

  2. SAP Research, Karlsruhe, Germany

    Martin Johns

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philippe De Ryck .

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns

About this chapter

Cite this chapter

Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the Network. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12226-7_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12225-0

  • Online ISBN: 978-3-319-12226-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation