Advertisement

On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name

  • Eman Salem AlashwaliEmail author
  • Kasper Rasmussen
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)

Abstract

Most modern web browsers today sacrifice optimal TLS security for backward compatibility. They apply coarse-grained TLS configurations that support (by default) legacy versions of the protocol that have known design weaknesses, and weak ciphersuites that provide fewer security guarantees (e.g. non Forward Secrecy), and silently fall back to them if the server selects to. This introduces various risks including downgrade attacks such as the POODLE attack [15] that exploits the browsers silent fallback mechanism to downgrade the protocol version in order to exploit the legacy version flaws. To achieve a better balance between security and backward compatibility, we propose a mechanism for fine-grained TLS configurations in web browsers based on the sensitivity of the domain name in the HTTPS request using a whitelisting technique. That is, the browser enforces optimal TLS configurations for connections going to sensitive domains while enforcing default configurations for the rest of the connections. We demonstrate the feasibility of our proposal by implementing a proof-of-concept as a Firefox browser extension. We envision this mechanism as a built-in security feature in web browsers, e.g. a button similar to the “Bookmark” button in Firefox browsers and as a standardised HTTP header, to augment browsers security.

Notes

Acknowledgment

The authors would like to thank Prof. Karthikeyan Bhargavan and Prof. Andrew Martin for useful feedback, Nicholas Moore for useful discussions on javascript, William Seymour and John Gallacher for proofreading.

References

  1. 1.
    Public key pinning extension for HTTP (2015). https://www.rfc-editor.org/rfc/rfc7469.txt
  2. 2.
    HSTS preloaded list submission (2017). https://hstspreload.org/
  3. 3.
    Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of Conference on Computer and Communications Security (CCS 2015), pp. 5–17 (2015)Google Scholar
  4. 4.
    Akhawe, D., Felt, A.P.: Alice in warningland: a large-scale field study of browser security warning effectiveness. In: Proceedings of USENIX Security Symposium, pp. 257–272 (2013)Google Scholar
  5. 5.
    Aviram, N., et al.: DROWN: breaking TLS using SSLv2. In: Proceedings of USENIX Security Symposium, pp. 689–706 (2016)Google Scholar
  6. 6.
    Beurdouche, B., et al.: A messy state of the union: taming the composite state machines of TLS. In: Proceedings of IEEE Symposium on Security and Privacy (SP), pp. 535–552 (2015)Google Scholar
  7. 7.
    Beurdouche, B., Delignat-Lavaud, A., Kobeissi, N., Pironti, A., Bhargavan, K.: FLEXTLS a tool for testing TLS implementations. In: Proceedings of 9th USENIX Workshop on Offensive Technologies (WOOT) (2014)Google Scholar
  8. 8.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2 (2008). https://tools.ietf.org/html/rfc5246
  9. 9.
    Eastlake, D.: Domain name system security extensions (1999). https://tools.ietf.org/html/rfc2535
  10. 10.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of Human Factors in Computing Systems (SIGCHI), pp. 1065–1074 (2008)Google Scholar
  11. 11.
    Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS) (2012). https://tools.ietf.org/html/rfc6797
  12. 12.
    Jackson, C., Barth, A.: ForceHTTPS: protecting high-security web sites from network attacks. In: Proceedings of 17th International Conference on World Wide Web (WWW 2008), pp. 525–534 (2008)Google Scholar
  13. 13.
    Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77366-5_27CrossRefGoogle Scholar
  14. 14.
    Mockapetris, P.: Domain names - implementation and specification (1987). https://www.ietf.org/rfc/rfc1035.txt
  15. 15.
    Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback (2014). https://www.openssl.org/~bodo/ssl-poodle.pdf
  16. 16.
  17. 17.
  18. 18.
    Popov, A.: Prohibiting RC4 cipher suites (2015). https://tools.ietf.org/html/rfc7465
  19. 19.
    Reeder, R., Felt, A.P., Consolvo, S., Malkin, N., Thompson, C., Egelman, S.: An experience sampling study of user reactions to browser warnings in the field. In: Proceedings of ACM CHI Conference in Human Factors on Computing Systems (2018)Google Scholar
  20. 20.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.3 draft-ietf-tls-tls13-24 (2018). https://tools.ietf.org/html/draft-ietf-tls-tls13-24
  21. 21.
    Samarasinghe, N., Mannan, M.: Short paper: TLS ecosystems in networked devices vs. web servers. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 533–541. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70972-7_30CrossRefGoogle Scholar
  22. 22.
    Schechter, S.: Storing HTTP security requirements in the domain name system (2007). https://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/att-0332/http-ssr.html
  23. 23.
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperors new security indicators. In: Proceedings of IEEE Symposium on Security and Privacy (SP), pp. 51–65 (2007)Google Scholar
  24. 24.
    Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of 19th International Conference on World Wide Web (WWW 2010), pp. 921–930 (2010)Google Scholar
  25. 25.
    Sullivan, N.: Padding oracles and the decline of CBC-mode cipher suites (2016). https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/
  26. 26.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: Proceedings of USENIX Security Symposium, pp. 399–416 (2009)Google Scholar
  27. 27.
    Szalachowski, P., Matsumoto, S., Perrig, A.: PoliCert: secure and flexible TLS certificate management. In: Proceedings of Conference on Computer and Communications Security (CCS), pp. 406–417 (2014)Google Scholar
  28. 28.
    Vaudenay, S.: Security flaws induced by CBC padding—applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_35CrossRefGoogle Scholar
  29. 29.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of Human Factors in Computing Systems (SIGCHI), pp. 601–610 (2006)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.University of OxfordOxfordUK
  2. 2.King Abdulaziz University (KAU)JeddahSaudi Arabia

Personalised recommendations