A large-scale analysis of HTTPS deployments: Challenges, solutions, and recommendations

2020 ◽  
pp. 1-26
Author(s):  
Qinwen Hu ◽  
Muhammad Rizwan Asghar ◽  
Nevil Brownlee
Keyword(s):  
Secure Communication ◽  
Large Scale ◽  
Transport Layer ◽  
Security Level ◽  
Secure Socket Layer ◽  
Security Issues ◽  
Large Scale Analysis ◽  
Government Websites ◽  
Encrypted Communication ◽  
Specific Implementation

HTTPS refers to an application-specific implementation that runs HyperText Transfer Protocol (HTTP) on top of Secure Socket Layer (SSL) or Transport Layer Security (TLS). HTTPS is used to provide encrypted communication and secure identification of web servers and clients, for different purposes such as online banking and e-commerce. However, many HTTPS vulnerabilities have been disclosed in recent years. Although many studies have pointed out that these vulnerabilities can lead to serious consequences, domain administrators seem to ignore them. In this study, we evaluate the HTTPS security level of Alexa’s top 1 million domains from two perspectives. First, we explore which popular sites are still affected by those well-known security issues. Our results show that less than 0.1% of HTTPS-enabled servers in the measured domains are still vulnerable to known attacks including Rivest Cipher 4 (RC4), Compression Ratio Info-Leak Mass Exploitation (CRIME), Padding Oracle On Downgraded Legacy Encryption (POODLE), Factoring RSA Export Keys (FREAK), Logjam, and Decrypting Rivest–Shamir–Adleman (RSA) using Obsolete and Weakened eNcryption (DROWN). Second, we assess the security level of the digital certificates used by each measured HTTPS domain. Our results highlight that less than 0.52% domains use the expired certificate, 0.42% HTTPS certificates contain different hostnames, and 2.59% HTTPS domains use a self-signed certificate. The domains we investigate in our study cover 5 regions (including ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC) and 61 different categories such as online shopping websites, banking websites, educational websites, and government websites. Although our results show that the problem still exists, we find that changes have been taking place when HTTPS vulnerabilities were discovered. Through this three-year study, we found that more attention has been paid to the use and configuration of HTTPS. For example, more and more domains begin to enable the HTTPS protocol to ensure a secure communication channel between users and websites. From the first measurement, we observed that many domains are still using TLS 1.0 and 1.1, SSL 2.0, and SSL 3.0 protocols to support user clients that use outdated systems. As the previous studies revealed security risks of using these protocols, in the subsequent studies, we found that the majority of domains updated their TLS protocol on time. Our 2020 results suggest that most HTTPS domains use the TLS 1.2 protocol and show that some HTTPS domains are still vulnerable to the existing known attacks. As academics and industry professionals continue to disclose attacks against HTTPS and recommend the secure configuration of HTTPS, we found that the number of vulnerable domain is gradually decreasing every year.

Towards a Secure Development Environment for Collaborative Applications

2019 ◽  
Vol 15 (1) ◽  
pp. 1-20
Author(s):  
Shyam P. Joy ◽  
Priya Chandran
Keyword(s):  
Secure Communication ◽  
Transport Layer ◽  
Security Requirements ◽  
Secure Socket Layer ◽  
Forward Secrecy ◽  
Development Environment ◽  
Group Key ◽  
Security Services ◽  
Collaborative Applications ◽  
Secure Network

Collaborative applications use the security services offered by secure socket layer / transport layer security (SSL/TLS) to implement authentication and confidentiality. Since SSL/TLS establishes a secure communication between two participants, for a secure network of n (> 2) participants, at least n(n-1)/2 secure communication channels have to be established. Whereas, a group key agreement (GKA) protocol allows the participants to compute a common secret group key as a function of the secrets of participants, and thereby remove the n(n-1)/2 lower bound on the channel requirement. Partial forward secrecy is a property of the GKA protocol which assesses the secrecy of the group key, when the secrets are compromised. Collaborative applications have different security requirements. Hence, the Spread Toolkit offers a set of GKA protocols, so that the designers can choose the most appropriate one. In this article, given a set of GKA protocols, a method is proposed to select the best among them, with respect to partial forward secrecy.

scholarly journals Imaging vehicle-to-vehicle communication using visible light

2020 ◽  
Vol 9 (6) ◽  
pp. 339-348
Author(s):  
Jens R. Ziehn ◽  
Masoud Roschani ◽  
Miriam Ruf ◽  
Dennis Bruestle ◽  
Jürgen Beyerer ◽  
...  
Keyword(s):  
Secure Communication ◽  
Large Scale ◽  
Angular Position ◽  
Security Level ◽  
Efficient Technology ◽  
Critical Function ◽  
Vehicle Communication ◽  
Wide Range ◽  
Vehicle Systems ◽  
Cost Efficient

AbstractWith advances in automated and connected driving, secure communication is increasingly becoming a safety-critical function. Injection of manipulated radio messages into traffic can cause severe accidents in the foreseeable future, and can currently be achieved without having to manipulate on-board vehicle systems directly, for example by hijacking cellphones instead and using these as senders. Thereby, large-scale attacks on vehicles can be executed remotely, and target relatively vulnerable devices. To mitigate remaining vulnerabilities in current automotive security architectures, this paper proposes a secondary communication channel using vehicle head and taillights. In contrast to existing approaches, this method allows both to achieve a sufficient data rate and to extract the angular position of the sender, by means of an imaging process which only requires close-to-market, cost-efficient technology. Through this, injecting false messages by masquerading as a different sender is considerably more challenging: The receiver can verify a message’s source position with the supposed position of the sender, e.g. by using on-board sensors or communicated information. Thereby, reliably faking both the communicated messages and the position of the sender will require direct manipulation of on-board vehicle systems, raising the security level of the function accordingly, and precluding low-threshold, wide-range attacks.

scholarly journals The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion

2021 ◽  
Vol 2021 (3) ◽  
pp. 394-412
Author(s):  
Yana Dimova ◽  
Gunes Acar ◽  
Lukasz Olejnik ◽  
Wouter Joosen ◽  
Tom Van Goethem
Keyword(s):  
Large Scale ◽  
Third Parties ◽  
Sensitive Information ◽  
Scale Analysis ◽  
User Profiles ◽  
Privacy And Security ◽  
Security Issues ◽  
Large Scale Analysis ◽  
Online Tracking ◽  
Archive Data

Abstract Online tracking is a whack-a-mole game between trackers who build and monetize behavioral user profiles through intrusive data collection, and anti-tracking mechanisms that are deployed as browser extensions, DNS resolvers, or built-in to the browser. As a response to pervasive and opaque online tracking, more and more users adopt anti-tracking measures to preserve their privacy. Consequently, as the information that trackers can gather on users is being curbed, some trackers are looking for ways to evade these protections. In this paper we report on a large-scale longitudinal evaluation of an anti-tracking evasion scheme that leverages CNAME records to include tracker resources in a same-site context, which effectively bypasses anti-tracking measures that rely on fixed hostname-based block lists. Using historical HTTP Archive data we find that this tracking scheme is rapidly gaining traction, especially among high-traffic websites. Furthermore, we report on several privacy and security issues inherent to the technical setup of CNAME-based tracking that we detected through a combination of automated and manual analyses. We find that some trackers are using the technique against the Safari browser, which is known to include strict anti-tracking configurations. Our findings show that websites using CNAME trackers must take extra precautions to avoid leaking sensitive information to third parties.

API Misuse Detection in C Programs: Practice on SSL APIs

2019 ◽  
Vol 29 (11n12) ◽  
pp. 1761-1779
Author(s):  
Chi Li ◽  
Zuxing Gu ◽  
Min Zhou ◽  
Jiecheng Wu ◽  
Jiarui Zhang ◽  
...  
Keyword(s):  
Static Analysis ◽  
Real World ◽  
Large Scale ◽  
Secure Socket Layer ◽  
C Programs ◽  
Security Issues ◽  
Domain Specific ◽  
Analysis Technique ◽  
Api Usage ◽  
Analysis Engine

Libraries offer reusable functionality through Application Programming Interfaces (APIs) with usage constraints such as call conditions or orders. Constraint violations, i.e. API misuses, commonly lead to bugs and security issues. Although researchers have developed various API misuse detectors in the past few decades, recent studies show that API misuse is prevalent in real-world projects, especially for secure socket layer (SSL) certificate validation, which is completely broken in many security-critical applications and libraries. In this paper, we introduce SSLDoc to effectively detect API misuse bugs, specifically for SSL API libraries. The key insight behind SSLDoc is a constraint-directed static analysis technique powered by a domain-specific language (DSL) for specifying API usage constraints. Through studying real-world API misuse bugs, we propose ISpec DSL, which covers majority types of API usage constraints and enables simple but precise specification. Furthermore, we design and implement SSLDoc to automatically parse ISpec into checking targets and employ a static analysis engine to identify potential API misuses and prune false positives with rich semantics. We have instantiated SSLDoc for OpenSSL APIs and applied it to large-scale open-source programs. SSLDoc found 45 previously unknown security-sensitive bugs in OpenSSL implementation and applications in Ubuntu. Up to now, 35 have been confirmed by the corresponding development communities and 27 have been fixed in master branch.

scholarly journals The Matter of Chance: Auditing Web Search Results Related to the 2020 U.S. Presidential Primary Elections Across Six Search Engines

2021 ◽  
pp. 089443932110068
Author(s):  
Aleksandra Urman ◽  
Mykola Makhortykh ◽  
Roberto Ulloa
Keyword(s):  
Search Engine ◽  
Search Engines ◽  
Large Scale ◽  
Web Search ◽  
Primary Elections ◽  
Virtual Agents ◽  
Search Results ◽  
Presidential Primary ◽  
Large Scale Analysis ◽  
Algorithmic Information

We examine how six search engines filter and rank information in relation to the queries on the U.S. 2020 presidential primary elections under the default—that is nonpersonalized—conditions. For that, we utilize an algorithmic auditing methodology that uses virtual agents to conduct large-scale analysis of algorithmic information curation in a controlled environment. Specifically, we look at the text search results for “us elections,” “donald trump,” “joe biden,” “bernie sanders” queries on Google, Baidu, Bing, DuckDuckGo, Yahoo, and Yandex, during the 2020 primaries. Our findings indicate substantial differences in the search results between search engines and multiple discrepancies within the results generated for different agents using the same search engine. It highlights that whether users see certain information is decided by chance due to the inherent randomization of search results. We also find that some search engines prioritize different categories of information sources with respect to specific candidates. These observations demonstrate that algorithmic curation of political information can create information inequalities between the search engine users even under nonpersonalized conditions. Such inequalities are particularly troubling considering that search results are highly trusted by the public and can shift the opinions of undecided voters as demonstrated by previous research.

Sign in / Sign up

Export Citation Format

Share Document