Users' conceptions of web security: a comparative study
CHI '02 Extended Abstracts on Human Factors in Computing Systems
Hardening Web browsers against man-in-the-middle and eavesdropping attacks
WWW '05 Proceedings of the 14th international conference on World Wide Web
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Genetic Programming Based WiFi Data Link Layer Attack Detection
CNSR '06 Proceedings of the 4th Annual Communication Networks and Services Research Conference
Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
A solution for the automated detection of clickjacking attacks
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Crying wolf: an empirical study of SSL warning effectiveness
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Sequence number-based MAC address spoof detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
SessionShield: lightweight protection against session hijacking
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Reliable protection against session fixation attacks
Proceedings of the 2011 ACM Symposium on Applied Computing
An empirical study of visual security cues to prevent the SSLstripping attack
Proceedings of the 27th Annual Computer Security Applications Conference
Detecting traffic snooping in tor using decoys
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
A new scheme with secure cookie against SSLStrip attack
WISM'12 Proceedings of the 2012 international conference on Web Information Systems and Mining
Cookie-proxy: a scheme to prevent SSLStrip attack
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
| Hi-index | 0.00 |
In today's world wide web hundreds of thousands of companies use SSL to protect their customers' transactions from potential eavesdroppers. Recently, a new attack against the common usage of SSL surfaced, SSL stripping. The attack is based on the fact that users almost never request secure pages explicitly but rather rely on the servers, to redirect them to the appropriate secure version of a particular website. An attacker, after becoming man-in-the-middle can suppress such messages and provide the user with "stripped" versions of the requested website forcing him to communicate over an insecure channel. In this paper, we analyze the ways that SSL stripping can be used by attackers and present a countermeasure against such attacks. We leverage the browser's history to create a security profile for each visited website. Each profile contains information about the exact use of SSL at each website and all future connections to that site are validated against it. We show that SSL stripping attacks can be prevented with acceptable overhead and without support from web servers or trusted third parties.