Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

HSTS Measurement and an Enhanced Stripping Attack Against HTTPS

  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_25,
        author={Xurong Li and Chunming Wu and Shouling Ji and Qinchen Gu and Raheem Beyah},
        title={HSTS Measurement and an Enhanced Stripping Attack Against HTTPS},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={HSTS HTTPS Stripping attack Security},
        doi={10.1007/978-3-319-78813-5_25}
    }
    
  • Xurong Li
    Chunming Wu
    Shouling Ji
    Qinchen Gu
    Raheem Beyah
    Year: 2018
    HSTS Measurement and an Enhanced Stripping Attack Against HTTPS
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_25
Xurong Li1,*, Chunming Wu1,*, Shouling Ji,*, Qinchen Gu2,*, Raheem Beyah2,*
  • 1: Zhejiang University
  • 2: Georgia Institute of Technology
*Contact email: lixurong@zju.edu.cn, wuchunming@zju.edu.cn, sji@zju.edu.cn, qgu7@gatech.edu, raheem.beyah@ece.gatech.edu

Abstract

HTTPS has played a significant role in the Internet world. HSTS is deployed to ensure the proper running of HTTPS. To get a good understanding of the deployment of HSTS, we conducted an in-depth measurement of the deployment of HSTS among Alexa top 1 million sites, and investigated bookmarks and navigation panels in different browsers. We found five types of threats, including transmission errors, redirection errors, field setting errors, the auto completion mechanism in bookmarks and the embedded addresses in navigation panels. To demonstrate defects we found, we designed an enhanced HTTPS stripping attack, which was upgraded from the original attack. Finally, we gave three effective suggestions to eliminate these defects. This paper exposed various risks of HTTPS and HSTS, making it possible to deploy HTTPS and HSTS in a more secure way.