Advertisement

A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites

  • Ping ChenEmail author
  • Nick Nikiforakis
  • Christophe Huygens
  • Lieven Desmet
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7807)

Abstract

In this paper, we investigate the current state of practice about mixed-content websites, websites that are accessed using the HTTPS protocol, yet include some additional resources using HTTP. Through a large-scale experiment, we show that about half of the Internet’s most popular websites are currently using this practice and are thus vulnerable to a wide range of attacks, including the stealing of cookies and the injection of malicious JavaScript in the context of the vulnerable websites. Additionally, we investigate the default behavior of browsers on mobile devices and show that most of them, by default, allow the rendering of mixed content, which demonstrates that hundreds of thousands of mobile users are currently vulnerable to MITM attacks.

Keywords

Content Provider Resource Provider Internet Explorer Mixed Content MITM Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgements

This research is partially funded by the Research Fund KU Leuven, iMinds, IWT, and by the EU FP7 projects WebSand, NESSoS and STREWS. With the financial support from the Prevention of and Fight against Crime Programme of the European Union (B-CCENTRE).

References

  1. 1.
    Add support for Mixed Content Blocking - Android. https://bugzilla.mozilla.org/show_bug.cgi?id=860581
  2. 2.
    BeEF - The Browser Exploitation Framework Project. http://beefproject.com/
  3. 3.
  4. 4.
    “Only secure content is displayed” notification in internet explorer 9 or later. http://support.microsoft.com/kb/2625928
  5. 5.
  6. 6.
  7. 7.
    Internet Explorer 8 Mixed Content Handling (2009). http://msdn.microsoft.com/en-us/library/ee264315(v=vs.85).aspx
  8. 8.
  9. 9.
  10. 10.
    Al Fardan, N.J., Paterson, K.G.: Lucky Thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 526–540 (2013)Google Scholar
  11. 11.
    Amrutkar, C., Traynor, P., van Oorschot, P.C.: Measuring SSL indicators on mobile browsers: extended life, or end of the road? In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 86–103. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  12. 12.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York, NY, USA (2008)Google Scholar
  13. 13.
    Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 511–525 (2013)Google Scholar
  14. 14.
    Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 760–771. ACM, New York, NY, USA (2012)Google Scholar
  15. 15.
    Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS), IETF RFC (2012)Google Scholar
  16. 16.
    Marlinspike, M.: New Tricks for Defeating SSL in Practice, Blackhat (2009)Google Scholar
  17. 17.
    McAfee. TrustedSource Web Database. https://www.trustedsource.org/en/feedback/url
  18. 18.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 736–747. ACM, New York, NY, USA (2012)Google Scholar
  19. 19.
    Rizzo, J., Duong, T.: Crime: Compression ratio info-leak made easy. In: ekoparty Security Conference (2012)Google Scholar
  20. 20.
    Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 921–930. ACM, New York, NY, USA (2010)Google Scholar
  21. 21.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying Wolf: an empirical study of SSL warning effectiveness. In: Proceedings of the 18th Usenix Security Symposium, pp. 399–416 (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Ping Chen
    • 1
    Email author
  • Nick Nikiforakis
    • 1
  • Christophe Huygens
    • 1
  • Lieven Desmet
    • 1
  1. 1.iMinds-DistriNetKU LeuvenLeuvenBelgium

Personalised recommendations