Skip to main content

Analysis of WEB Browsers of HSTS Security Under the MITM Management Environment

  • 658 Accesses

Part of the Communications in Computer and Information Science book series (CCIS,volume 1438)

Abstract

The transactional websites and services on the cloud, have actually become the most used browsers, thanks to their portability and ease of use, with a significant increase in the development of cloud solutions, implementing digital contexts under the 4.0 web, which generated an increase of possibilities for transactions of different types. However, every time more security issues arise. Due to this problem, the computer security is a rising trend, generating new possibilities to mitigate vulnerabilities when handling the information in a transactional web site; an analysis is made of performance, weaknesses and strengths of the HSTS standard, as a security complement of the SSL/TLS protocol.

Different tests scenarios are verified under a man attack in the MITM environment, to intercept or capture the traffic sent and received during web transactions. That is how we identify if the standard can prevent that intrusion, which is of vital importance for the different transactional environments actually used, such as bank entities or online purchases; vulnerabilities of the standard are verified upon making the first request to a website, which strengthens and secures transactions done from the beginning of the transaction to its ending, in an encrypted way. Browsers analyzed - Mozilla Firefox, Google Chrome and internet Explorer, under controlled corporate and personal environments; The security importance of the browser is outlined, Google Chrome being the best one in performance under an internet hacking. The other browsers present some shortcomings during the first interconnection request, during some milliseconds under the point to point model, for the initial phase of information interchange.

Keywords

  • WEB browsers
  • HSTS complement
  • A hacker in the MITM environment
  • Security

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-81635-3_27
  • Chapter length: 14 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-81635-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.

Source: Authors [21] Used infrastructure (see Table 1).

Fig. 2.

Source: Authors.

Fig. 3.

Source: Authors.

Fig. 4.

Source: Authors

Fig. 5.

Source: Authors.

Fig. 6.

Source: Authors.

Fig. 7.

Source. Authors.

Fig. 8.

Source. Authors.

Fig. 9.

Source: Authors.

Fig. 10.

Source: Authors.

Fig. 11.

References

  1. Fernandes, D.A.B., Soares, L.F.B., Gomes, J.V., Freire, M.M., Inácio, P.R.M.: Security issues in cloud environments: a survey. Int. J. Inf. Secur. 13(2), 113–170 (2013). https://doi.org/10.1007/s10207-013-0208-7

    CrossRef  Google Scholar 

  2. Kiljan, S., Simoens, K., Cock, D.D., Eekelen, M.V., Vranken, H.: A survey of authentication and communications security in online banking. ACM Comput. Surv. (CSUR) 49(4), 61 (2017)

    CrossRef  Google Scholar 

  3. Wang, Y.Q.: Discussion on the security and reliability in network transactions. Appl. Mech. Mater. 427–429, 2321–2324 (2013).

    Google Scholar 

  4. Jarauta Sánchez, J., Prado Montes, Á.: Seguridad en sistemas de comunicación (2017)

    Google Scholar 

  5. Cenci, K.M., Matteis, L.D., Ardenghi, J.R.: Arquitectura en capas para acceso remoto sad. In: XVIII Congreso Argentino de Ciencias de la Computación (2013)

    Google Scholar 

  6. Cenci, K.M., Matteis, L.D., Ardenghi, J.R.: Tiered architecture for remote access to data sources. J. Comput. Sci. Technol. 14, 67–72 (2014)

    Google Scholar 

  7. Trejo Alfaro, Y.G.: Prueba de penetración de la caja gris realizada a la solución Redborder versión cloud (2017)

    Google Scholar 

  8. Vázquez Sanisidro, A.: Optimización de Páginas Web: Visión teórica y análisis práctico (2017)

    Google Scholar 

  9. Hodges, J., Jackson, C., Barth, A.: Http strict transport security (hsts) (No. RFC 6797) (2012)

    Google Scholar 

  10. Hodges, J., Jackson, C., Barth, A.: Rfc 6797: Http strict transport security (hsts). IETF (2012). https://tools.Ietf.org/html/rfc6797

  11. Selvi, J.: Bypassing HTTP strict transport security. Black Hat Europe (2014)

    Google Scholar 

  12. Cajiao, G., Fabricio, E.: Método para la detección y prevención de ataques web mediante la parametrización de un proxy reverso basado en software libre (Master’s thesis, Escuela Superior Politécnica de Chimborazo) (2018)

    Google Scholar 

  13. Raharjo, W.S., Bajuadji, A.A.: Analisa Implementasi Protokol HTTPS pada Situs Web Perguruan Tinggi di Pulau Jawa. J. ULTIMATICS 8(2), 102–111 (2017). https://doi.org/10.31937/ti.v8i2.518

    CrossRef  Google Scholar 

  14. Ortega, M., Santiago, A.: Metodología de hacking ético para instituciones financieras, aplicación de un caso práctico (Master’s thesis) (2017)

    Google Scholar 

  15. Winter, P., Köwer, R., Mulazzani, M., Huber, M., Schrittwieser, S., Lindskog, S., Weippl, E.: Spoiled onions: exposing malicious Tor exit relays. In: De Cristofaro, E., Murdoch, S.J. (eds.) Privacy Enhancing Technologies: 14th International Symposium, PETS 2014, Amsterdam, The Netherlands, July 16-18, 2014. Proceedings, pp. 304–331. Springer International Publishing, Cham (2014). https://doi.org/10.1007/978-3-319-08506-7_16

    CrossRef  Google Scholar 

  16. Muñoz, A., Guzmán, A., Santos, S.D.L.: Contramedidas en la suplantación de autoridades de certificación. Certificate pinning (2014)

    Google Scholar 

  17. Sivakorn, S., Polakis, I., Keromytis, A.D.: The cracked cookie jar: HTTP cookie hijacking and the exposure of private information. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 724–742. IEEE (May 2016)

    Google Scholar 

  18. Kalyanam, R., Yang, B.: Try-CybSI: an extensible cybersecurity learning and demonstration platform. In: Proceedings of the 18th Annual Conference on Information Technology Education, pp. 41–46. ACM (September 2017)

    Google Scholar 

  19. Bujlow, T., Carela-español, V., Solé-Pareta, J., Barlet-Ros, P.: Web tracking: mechanisms, implications, and defenses. arXiv preprint arXiv:1507.07872 (2015)

  20. Bujlow, T., Carela-español, V., Sole-Pareta, J., Barlet-Ros, P.: A survey on web tracking: Mechanisms, implications, and defenses. Proc. IEEE 105(8), 1476–1510 (2017)

    CrossRef  Google Scholar 

  21. Raúl, B.G., Sevillano, A.M.L.: Services cloud under HSTS, Strengths and weakness before an attack of man in the middle MITM. In: 2017 Congreso Internacional de Innovación y Tendencias en Ingeniería (CONIITI), pp. 1–5. IEEE (October 2017)

    Google Scholar 

  22. Evans, C., Palmer, C., Sleevi, R.: Public key pinning extension for HTTP (No. RFC 7469) (2015)

    Google Scholar 

  23. Parmar, H., Gosai, A.: Analysis and study of network security at transport layer. Int. J. Comput. Appl. 121(13), 35–40 (2015). https://doi.org/10.5120/21604-4716

    CrossRef  Google Scholar 

  24. Sullivan, N.T., Sharma, R.D., Lackey, R., Lin, Z.: U.S. Patent Application No. 14/967,156 (2017)

    Google Scholar 

  25. Sugavanesh, B., Hari Prasath, R., Selvakumar, S.: SHS-HTTPS enforcer: enforcing HTTPS and preventing MITM attacks. ACM SIGSOFT Softw. Eng. Notes 38(6), 1–4 (2013)

    Google Scholar 

  26. Vikan, D.E.: TLS and the future of authentication (master’s thesis, NTNU) (2015)

    Google Scholar 

  27. Buchanan, W.J., Helme, S., Woodward, A.: Analysis of the adoption of security headers in HTTP. IET Information Security (2017)

    Google Scholar 

  28. Adeloye, B.: HTTP man-in-the-middle code execution (2013)

    Google Scholar 

  29. Swanink, R., Poll, E., Schwabe, P.: Persistent Effects of Man-in-the-Middle Attacks, pp. 1–43. Radboud University (2016)

    Google Scholar 

  30. Park, S., Park, S., Yun, I., Kim, D., Kim, Y.: Analyzing security of Korean USIM-based PKI certificate service. In: Rhee, K.-H., Yi, J.H. (eds.) Information Security Applications, pp. 95–106. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15087-1_8

    CrossRef  Google Scholar 

  31. Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: NDSS (February 2015)

    Google Scholar 

  32. Dolnák, I., Litvik, J.: Introduction to HTTP security headers and implementation of HTTP strict transport security (HSTS) header for HTTPS enforcing. In: 2017 15th International Conference on Emerging eLearning Technologies and Applications (ICETA), pp. 1–4. IEEE (October 2017)

    Google Scholar 

  33. de los Santos, S., Torrano, C., Rubio, Y., Brezo, F.: Implementation state of HSTS and HPKP in both browsers and servers. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 192–207. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_12

    CrossRef  Google Scholar 

  34. Pineda, S., Matta, J., Torres, J., Díaz-Piraquive, F.N.: Blockchain: Estrategia en la Seguridad e Integridad de los Sistemas de Información de la Policía Nacional. In: Desafíos en Ingeniería: Investigación Aplicada. Ediciones Fundación Tecnológica Antonio Arévalo TECNAR (2019)

    Google Scholar 

  35. De La Espriella, L., García, J., Díaz-Piraquive, F.N.: La Sextorsión: Prácticas de Ingeniería Social en las Redes Sociales. In: Desafíos en Ingeniería: Investigación Aplicada. Ediciones Fundación Tecnológica Antonio Arévalo TECNAR (2019)

    Google Scholar 

  36. Bautista, V., López, A., Díaz-Piraquive, F.N.: Modelo ISO/IEC 25010 en el Proceso de Evaluación de la Calidad del Software en la Empresa Obras Civiles de Bogotá en el Área de Tecnología de la Información y Comunicación. In: Desafíos en Ingeniería: Investigación Aplicada. Ediciones Fundación Tecnológica Antonio Arévalo TECNAR (2019)

    Google Scholar 

  37. Zubieta, K., López, A., Díaz-Piraquive, F.N.: Auditoría para los Procesos de Pruebas y Calidad del Software del Proyecto Comisiones Callidus Accenture Colombia basada en la Norma ISO 9001:2015. In: Desafíos en Ingeniería: Investigación Aplicada. Ediciones Fundación Tecnológica Antonio Arévalo TECNAR (2019)

    Google Scholar 

  38. Pisso, A., López, A., Díaz-Piraquive, F.N.: Plan de mejoramiento para el fortalecimiento de competencias del auditor mediante el uso de tecnologías de la información. In: Desafíos en Ingeniería: Investigación Aplicada. Ediciones Fundación Tecnológica Antonio Arévalo TECNAR (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Raúl Bareño-Gutiérrez , Alexandra María López Sevillano , Flor Nancy Díaz-Piraquive or Ruben González-Crespo .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Bareño-Gutiérrez, R., Sevillano, A.M.L., Díaz-Piraquive, F.N., González-Crespo, R. (2021). Analysis of WEB Browsers of HSTS Security Under the MITM Management Environment. In: Uden, L., Ting, IH., Wang, K. (eds) Knowledge Management in Organizations. KMO 2021. Communications in Computer and Information Science, vol 1438. Springer, Cham. https://doi.org/10.1007/978-3-030-81635-3_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81635-3_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81634-6

  • Online ISBN: 978-3-030-81635-3

  • eBook Packages: Computer ScienceComputer Science (R0)