Li Chang
ABSTRACT
URL redirection is a popular technique that automatically navigates users to an intended destination webpage with- out user awareness. However, such a seemingly advantageous feature may offer inadequate protection from security vulnerabilities unless every redirection is performed over HTTPS. Even worse, as long as the final redirection to a website is performed over HTTPS, the browser's URL bar indicates that the website is secure regardless of the security of prior redirections, which may provide users with a false sense of security. This paper reports a well-rounded investigation to analyze the wellness of URL redirection security. As an initial large-scale investigation, we screened the integrity and consistency of URL redirections for the Alexa top one million (1M) websites, and further examined 10,000 (10K) websites with their login features. Our results suggest that 1) the majority (83.3% in the 1M dataset and 78.6% in the 10K dataset) of redirection trails among web- sites that support only HTTPS are vulnerable to attacks, and 2) current incoherent practices (e.g., naked domains and www subdomains being redirected to different destinations with varying security levels) undermine the security guarantees provided by HTTPS and HSTS.
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). https://cwe.mitre.org/data/definitions/601.html.Google Scholar
- Http archive. http://httparchive.org/.Google Scholar
- HTTPS at Google. https://www.google.com/transparencyreport/https/.Google Scholar
- Https everywhere. https://www.eff.org/Https-everywhere.Google Scholar
- Let's Encrypt. https://letsencrypt.org/.Google Scholar
- Pulse: How federal government domains are meeting best practices on the web. https://pulse.cio.gov/.Google Scholar
- RFC6797 HTTP Strict Transport Security (HSTS). https://tools.ietf.org/html/rfc6797.Google Scholar
- Survey of the SSL implementation of the most popular web sites. https://www.trustworthyinternet.org/ssl-pulse/.Google Scholar
- The HTTPS-Only Standard. https://https.cio.gov/hsts/.Google Scholar
- Upgrade Insecure Requests (W3C Candidate Recommendation). https://www.w3.org/TR/upgrade-insecure-requests.Google Scholar
- D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In ACM CCS, 2015. Google ScholarDigital Library
- D. Akhawe, B. Amann, M. Vallentin, and R. Sommer. Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web. In WWW, 2013. Google ScholarDigital Library
- N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt. DROWN: Breaking TLS using SSLv2. In USENIX Security Symposium, 2016.Google Scholar
- J. Clark and P. C. van Oorschot. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In IEEE Symposium on Security and Privacy, 2013. Google ScholarDigital Library
- Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS Certificate Ecosystem. In ACM Internet Measurement Conference, 2013. Google ScholarDigital Library
- Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, 2013. Google ScholarDigital Library
- R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL Landscape: a Thorough Analysis of the x.509 PKI Using Active and Passive Measurements. In ACM IMC, 2011. Google ScholarDigital Library
- J. Hong. The Current State of Phishing Attacks. Communications of the ACM, 55(1):74--81, 2012. Google ScholarDigital Library
- L.-S. Huang, S. Adhikarla, D. Boneh, and C. Jackson. An Experimental Study of TLS Forward Secrecy Deployments. IEEE Internet Computing, 18(6):43--51, 2014.Google ScholarCross Ref
- L.-S. Huang, A. Rice, E. Ellingsen, and C. Jackson. Analyzing Forged SSL Certificates in the Wild. In IEEE Symposium on Security and Privacy, 2014. Google ScholarDigital Library
- C. Jackson and A. Barth. ForceHTTPS: Protecting High-Security Web Sites from Network Attacks. In WWW, 2008. Google ScholarDigital Library
- M. Kranch and J. Bonneau. Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning. In NDSS, 2015.Google ScholarCross Ref
- H. Lee, T. Malkin, and E. Nahum. Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices. In ACM IMC, 2007. Google ScholarDigital Library
- Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising. In ACM CCS, 2012. Google ScholarDigital Library
- J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, and J. Wu. When HTTPS Meets CDN: A Case of Authentication in Delegated Service. In IEEE Symposium on Security and Privacy, 2014. Google ScholarDigital Library
- M. Marlinspike. New Tricks for Defeating SSL in Practice. In BlackHat, 2009.Google Scholar
- D. Silver, S. Jana, E. Chen, C. Jackson, and D. Boneh. Password Managers: Attacks and Defenses. In USENIX Security, 2014. Google ScholarDigital Library
- S. Sivakorn, I. Polakis, and A. D. Keromytis. The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. In IEEE Symposium on Security and Privacy, 2016.Google Scholar
- D. Stebila. Reinforcing Bad Behaviour: the Misuse of Security Indicators on Popular Websites. In ACM OZCHI, 2010. Google ScholarDigital Library
- Y. Zhou and D. Evans. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In USENIX Security, 2014. Google ScholarDigital Library
Index Terms
- Security Implications of Redirection Trail in Popular Websites Worldwide
Recommendations
Mission accomplished?: HTTPS security after diginotar
IMC '17: Proceedings of the 2017 Internet Measurement ConferenceDriven by CA compromises and the risk of man-in-the-middle attacks, new security features have been added to TLS, HTTPS, and the web PKI over the past five years. These include Certificate Transparency (CT), for making the CA system auditable; HSTS and ...
SHS-HTTPS enforcer: enforcing HTTPS and preventing MITM attacks
Web servers provide immunity against Man In The Middle (MITM) attacks and eavesdropping by using HTTP Strict Transport Security (HSTS) to force user agents to communicate only over HTTPS connections. However, the initial connection request from a user ...
A fuzzy logic approach for detecting redirection spam
Redirection spam is a relatively newer technique whereby spammers redirect the search user to an unwanted webpage or download malware on the victim's machine without his consent. Spammers are making use of chained redirections to hide their nefarious ...
Comments