Abstract
HTTPS stripping attacks leverage a combination of weak configuration choices to trick users into providing sensitive data through hijacked connections. Here we present a browser extension that helps web users to detect this kind of integrity and authenticity breaches, by extracting relevant features from the browsed pages and comparing them to reference values coming from different sorts of trusted sources. The rationale behind the extension is discussed and its effectiveness is demonstrated with some quantitative results, gathered on the prototype that has been implemented for Mozilla Firefox.
Chapter PDF
Similar content being viewed by others
References
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 581–590. ACM, New York (2006)
Heffner, C.: How to hack millions of routers. In: Black Hat Conference 2010 (2010)
Nikiforakis, N., Younan, Y., Joosen, W.: HProxy: Client-Side Detection of SSL Stripping Attacks. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 200–218. Springer, Heidelberg (2010), doi:10.1007/978-3-642-14215-4_12
Prandini, M., Ramilli, M., Cerroni, W., Callegati, F.: Splitting the HTTPS stream to attack secure web connections. IEEE Security and Privacy 8, 80–84 (2010)
Stamm, S., Ramzan, Z., Jakobsson, M.: Drive-By Pharming. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 495–506. Springer, Heidelberg (2007), 10.1007/978-3-540-77048-0_38
Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: A scalable peer-to-peer lookup service for internet applications. SIGCOMM Comput. Commun. Rev. 31, 149–160 (2001)
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 399–416. USENIX Association, Berkeley (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Prandini, M., Ramilli, M. (2012). A Browser-Based Distributed System for the Detection of HTTPS Stripping Attacks against Web Pages. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_47
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_47
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)