Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties

  • Italo Dacosta
  • Mustaque Ahamad
  • Patrick Traynor
Conference paper

DOI: 10.1007/978-3-642-33167-1_12

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7459)
Cite this paper as:
Dacosta I., Ahamad M., Traynor P. (2012) Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties. In: Foresti S., Yung M., Martinelli F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg

Abstract

The security guarantees provided by SSL/TLS depend on the correct authentication of servers through certificates signed by a trusted authority. However, as recent incidents have demonstrated, trust in these authorities is not well placed. Increasingly, certificate authorities (by coercion or compromise) have been creating forged certificates for a range of adversaries, allowing seemingly secure communications to be intercepted via man-in-the-middle (MITM) attacks. A variety of solutions have been proposed, but their complexity and deployment costs have hindered their adoption. In this paper, we propose Direct Validation of Certificates (DVCert), a novel protocol that, instead of relying on third-parties for certificate validation, allows domains to directly and securely vouch for their certificates using previously established user authentication credentials. By relying on a robust cryptographic construction, this relatively simple means of enhancing server identity validation is not only efficient and comparatively easy to deploy, but it also solves other limitations of third-party solutions. Our extensive experimental analysis in both desktop and mobile platforms shows that DVCert transactions require little computation time on the server (e.g., less than 1 ms) and are unlikely to degrade server performance or user experience. In short, we provide a robust and practical mechanism to enhance server authentication and protect web applications from MITM attacks against SSL/TLS.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Italo Dacosta
    • 1
  • Mustaque Ahamad
    • 1
  • Patrick Traynor
    • 1
  1. 1.Converging Infrastructure Security (CISEC) Laboratory, Georgia Tech Information Security Center (GTISC)Georgia Institute of TechnologyUSA

Personalised recommendations