Statistical Identification of Encrypted Web Browsing Traffic
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Secure Programming Cookbook for C and C++
Secure Programming Cookbook for C and C++
Remote timing attacks are practical
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
PKI layer cake: new collision attacks against the global x.509 infrastructure
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Beyond the blacklist: modeling malware spread and the effect of interventions
Proceedings of the 2012 workshop on New security paradigms
Unikernels: library operating systems for the cloud
Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
Designing leakage-resilient password entry on touchscreen mobile devices
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Here's my cert, so trust me, maybe?: understanding TLS errors on the web
Proceedings of the 22nd international conference on World Wide Web
Towards secure and dependable software-defined networks
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
Privacy in content-oriented networking: threats and countermeasures
ACM SIGCOMM Computer Communication Review
Rethinking SSL development in an appified world
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Predictability of Android OpenSSL's pseudo random number generator
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
MinimaLT: minimal-latency networking through better security
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Breaking cell phone authentication: vulnerabilities in AKA, IMS and Android
WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies
Explicating SDKs: uncovering assumptions underlying secure authentication and authorization
SEC'13 Proceedings of the 22nd USENIX conference on Security
| Hi-index | 0.00 |
SSL (Secure Sockets Layer) is the de facto standard for secure Internet communications. Security of SSL connections against an active network attacker depends on correctly validating public-key certificates presented when the connection is established. We demonstrate that SSL certificate validation is completely broken in many security-critical applications and libraries. Vulnerable software includes Amazon's EC2 Java library and all cloud clients based on it; Amazon's and PayPal's merchant SDKs responsible for transmitting payment details from e-commerce sites to payment gateways; integrated shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop; AdMob code used by mobile websites; Chase mobile banking and several other Android apps and libraries; Java Web-services middleware including Apache Axis, Axis 2, Codehaus XFire, and Pusher library for Android and all applications employing this middleware. Any SSL connection from any of these programs is insecure against a man-in-the-middle attack. The root causes of these vulnerabilities are badly designed APIs of SSL implementations (such as JSSE, OpenSSL, and GnuTLS) and data-transport libraries (such as cURL) which present developers with a confusing array of settings and options. We analyze perils and pitfalls of SSL certificate validation in software based on these APIs and present our recommendations.