Research Article
HSTS Measurement and an Enhanced Stripping Attack Against HTTPS
@INPROCEEDINGS{10.1007/978-3-319-78813-5_25, author={Xurong Li and Chunming Wu and Shouling Ji and Qinchen Gu and Raheem Beyah}, title={HSTS Measurement and an Enhanced Stripping Attack Against HTTPS}, proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings}, proceedings_a={SECURECOMM}, year={2018}, month={4}, keywords={HSTS HTTPS Stripping attack Security}, doi={10.1007/978-3-319-78813-5_25} }- Xurong Li
Chunming Wu
Shouling Ji
Qinchen Gu
Raheem Beyah
Year: 2018
HSTS Measurement and an Enhanced Stripping Attack Against HTTPS
SECURECOMM
Springer
DOI: 10.1007/978-3-319-78813-5_25
Abstract
HTTPS has played a significant role in the Internet world. HSTS is deployed to ensure the proper running of HTTPS. To get a good understanding of the deployment of HSTS, we conducted an in-depth measurement of the deployment of HSTS among Alexa top 1 million sites, and investigated bookmarks and navigation panels in different browsers. We found five types of threats, including transmission errors, redirection errors, field setting errors, the auto completion mechanism in bookmarks and the embedded addresses in navigation panels. To demonstrate defects we found, we designed an enhanced HTTPS stripping attack, which was upgraded from the original attack. Finally, we gave three effective suggestions to eliminate these defects. This paper exposed various risks of HTTPS and HSTS, making it possible to deploy HTTPS and HSTS in a more secure way.