Skip to main content

A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7807)

Abstract

In this paper, we investigate the current state of practice about mixed-content websites, websites that are accessed using the HTTPS protocol, yet include some additional resources using HTTP. Through a large-scale experiment, we show that about half of the Internet’s most popular websites are currently using this practice and are thus vulnerable to a wide range of attacks, including the stealing of cookies and the injection of malicious JavaScript in the context of the vulnerable websites. Additionally, we investigate the default behavior of browsers on mobile devices and show that most of them, by default, allow the rendering of mixed content, which demonstrates that hundreds of thousands of mobile users are currently vulnerable to MITM attacks.

Keywords

  • Content Provider
  • Resource Provider
  • Internet Explorer
  • Mixed Content
  • MITM Attack

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-27659-5_25
  • Chapter length: 10 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-27659-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.

Notes

  1. 1.

    Safari and Opera each owns 8.39 % and 1.03 % market share respectively, according to the statistics of usage share of desktop browsers for June 2013 from StatCounter [6].

References

  1. Add support for Mixed Content Blocking - Android. https://bugzilla.mozilla.org/show_bug.cgi?id=860581

  2. BeEF - The Browser Exploitation Framework Project. http://beefproject.com/

  3. Bing Search API. http://datamarket.azure.com/dataset/bing/search

  4. “Only secure content is displayed” notification in internet explorer 9 or later. http://support.microsoft.com/kb/2625928

  5. SSL Pulse. https://www.trustworthyinternet.org/ssl-pulse/

  6. StatCounter. http://statcounter.com/

  7. Internet Explorer 8 Mixed Content Handling (2009). http://msdn.microsoft.com/en-us/library/ee264315(v=vs.85).aspx

  8. Ending mixed scripting vulnerabilities (2012). http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html

  9. Mixed content blocking enabled in firefox 23! (2013). https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

  10. Al Fardan, N.J., Paterson, K.G.: Lucky Thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 526–540 (2013)

    Google Scholar 

  11. Amrutkar, C., Traynor, P., van Oorschot, P.C.: Measuring SSL indicators on mobile browsers: extended life, or end of the road? In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 86–103. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  12. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York, NY, USA (2008)

    Google Scholar 

  13. Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 511–525 (2013)

    Google Scholar 

  14. Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 760–771. ACM, New York, NY, USA (2012)

    Google Scholar 

  15. Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS), IETF RFC (2012)

    Google Scholar 

  16. Marlinspike, M.: New Tricks for Defeating SSL in Practice, Blackhat (2009)

    Google Scholar 

  17. McAfee. TrustedSource Web Database. https://www.trustedsource.org/en/feedback/url

  18. Nikiforakis, N., Invernizzi, L., Kapravelos, A., van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 736–747. ACM, New York, NY, USA (2012)

    Google Scholar 

  19. Rizzo, J., Duong, T.: Crime: Compression ratio info-leak made easy. In: ekoparty Security Conference (2012)

    Google Scholar 

  20. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 921–930. ACM, New York, NY, USA (2010)

    Google Scholar 

  21. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying Wolf: an empirical study of SSL warning effectiveness. In: Proceedings of the 18th Usenix Security Symposium, pp. 399–416 (2009)

    Google Scholar 

Download references

Acknowledgements

This research is partially funded by the Research Fund KU Leuven, iMinds, IWT, and by the EU FP7 projects WebSand, NESSoS and STREWS. With the financial support from the Prevention of and Fight against Crime Programme of the European Union (B-CCENTRE).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ping Chen .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Chen, P., Nikiforakis, N., Huygens, C., Desmet, L. (2015). A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites. In: Desmedt, Y. (eds) Information Security. Lecture Notes in Computer Science(), vol 7807. Springer, Cham. https://doi.org/10.1007/978-3-319-27659-5_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-27659-5_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-27658-8

  • Online ISBN: 978-3-319-27659-5

  • eBook Packages: Computer ScienceComputer Science (R0)