Research and Implementation of Three HTTPS Attacks

نویسندگان

  • Kefei Cheng
  • Tingqiang Jia
  • Meng Gao
چکیده

With the rapid development of network applications, the issues of Network transmission security become very important. Therefore, SSL protocol is more and more widely used in a variety of network services. But the SSL protocol itself is not perfect, in practice, there are also problems. For the deficiencies of endpoint authentication in the SSL handshake process, the paper analyzes two kinds of defects existing in the SSL hand-shake process. Firstly, handshake process, in the first stage of the SSL connection, using plaintexts, existing the possibility of being monitored and tampered. Secondly, SSL deployment of the actual application. Because of considering the factors about the performance of the network connection, that usually uses the way of switch connection based on HTTP protocol. In response to these deficiencies, this thesis adopts the two ways of forged certificates and converting the data stream from HTTPS to HTTP to attack them. In addition, a new attack mode against the data stream of HTTPS is designed and implemented. Experiments show that the above three methods cause significant security risks to HTTPS communications. Therefore, taking a static ARP table, enhanced certificate mechanism and mutual authentication of three different measures are proposed to enhance network security in the paper. It is shown that three ways can relative effectively defense against attacks on HTTPS in the experiments.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Threshold Implementation as a Countermeasure against Power Analysis Attacks

One of the usual ways to find sensitive data or secret parameters of cryptographic devices is to use their physical leakages. Power analysis is one of the attacks which lay in such a model. In comparison with other types of side-channels, power analysis is so efficient and has a high success rate. So it is important to provide a countermeasure against it. Different types of countermeasures use ...

متن کامل

A New Intrusion Detection System to deal with Black Hole Attacks in Mobile Ad Hoc Networks

By extending wireless networks and because of their different nature, some attacks appear in these networks which did not exist in wired networks. Security is a serious challenge for actual implementation in wireless networks. Due to lack of the fixed infrastructure and also because of security holes in routing protocols in mobile ad hoc networks, these networks are not protected against attack...

متن کامل

Cookies Lack Integrity: Real-World Implications

A cookie can contain a “secure” flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-midddle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections. Similar attacks can also be launched by a web attacker from a related do...

متن کامل

Man in Middle Attack in Ssl and Https

Protecting our data online is never going to be an easy task, especially nowadays when attackers are regularly inventing some new techniques and exploits to steal your data. Sometimes their attacks will not be so harmful for individual users. But large-scale attacks on some popular websites or financial databases, could be highly dangerous. In most cases, the attackers first try to push some ma...

متن کامل

Enhanced Flush+Reload Attack on AES

In cloud computing, multiple users can share the same physical machine that can potentially leak secret information, in particular when the memory de-duplication is enabled. Flush+Reload attack is a cache-based attack that makes use of resource sharing. T-table implementation of AES is commonly used in the crypto libraries like OpenSSL. Several Flush+Reload attacks on T-table implementat...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:
  • JNW

دوره 6  شماره 

صفحات  -

تاریخ انتشار 2011