Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

European Symposium on Research in Computer Security

ESORICS 2012: Computer Security – ESORICS 2012 pp 199–216Cite as

  1. Home
  2. Computer Security – ESORICS 2012
  3. Conference paper
Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties

Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties

  • Italo Dacosta19,
  • Mustaque Ahamad19 &
  • Patrick Traynor19 
  • Conference paper
  • 4232 Accesses

  • 27 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7459)

Abstract

The security guarantees provided by SSL/TLS depend on the correct authentication of servers through certificates signed by a trusted authority. However, as recent incidents have demonstrated, trust in these authorities is not well placed. Increasingly, certificate authorities (by coercion or compromise) have been creating forged certificates for a range of adversaries, allowing seemingly secure communications to be intercepted via man-in-the-middle (MITM) attacks. A variety of solutions have been proposed, but their complexity and deployment costs have hindered their adoption. In this paper, we propose Direct Validation of Certificates (DVCert), a novel protocol that, instead of relying on third-parties for certificate validation, allows domains to directly and securely vouch for their certificates using previously established user authentication credentials. By relying on a robust cryptographic construction, this relatively simple means of enhancing server identity validation is not only efficient and comparatively easy to deploy, but it also solves other limitations of third-party solutions. Our extensive experimental analysis in both desktop and mobile platforms shows that DVCert transactions require little computation time on the server (e.g., less than 1 ms) and are unlikely to degrade server performance or user experience. In short, we provide a robust and practical mechanism to enhance server authentication and protect web applications from MITM attacks against SSL/TLS.

Keywords

  • Shared Secret
  • Server Authentication
  • Secure Socket Layer
  • Transport Layer Security
  • Identity Provider

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

  1. Certificate Patrol (2010), http://patrol.psyced.org/

  2. Adams, C., Farrell, S.: RFC 2510 - Internet X.509 Public Key Infrastructure Certificate Management Protocols (1999), https://tools.ietf.org/html/rfc2510

  3. Alicherry, M., Keromytis, A.D.: DoubleCheck: Multi-path Verification Against Man-in-the-Middle Attacks. In: Proceedings of the IEEE Symposium on Computers and Communications (2009)

    Google Scholar 

  4. Altman, J., Williams, N., Zhu, L.: RFC 5929 - Channel Bindings for TLS (2010), http://tools.ietf.org/html/rfc5929

  5. AT&T: Network Averages (2012), http://ipnetwork.bgtmo.ip.att.net/pws/averages.html

  6. Blanchet, B.: ProVerif: Cryptographic Protocol Verifier in the Formal Model, http://www.proverif.ens.fr/

  7. BlueKrypt: Cryptographic Key Length Recommendation (2012), http://www.keylength.com/

  8. Boyko, V., MacKenzie, P.D., Patel, S.: Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  9. Brusilovsky, A., Faynberg, I., Zeltsan, Z., Patel, S.: RFC 5683 - Password-Authenticated Key (PAK) Diffie-Hellman Exchange (2010), http://tools.ietf.org/html/rfc5683

  10. Dierks, T., Rescorla, E.: RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 (2008), http://tools.ietf.org/html/rfc5246

  11. Eckersley, P., Burns, J.: The (Decentralized) SSL Observatory. In: USENIX Security Symposium (2011) (Invited Talk)

    Google Scholar 

  12. Electronic Frontier Foundation (EFF): The Sovereign Keys Project (2011), https://www.eff.org/sovereign-keys

  13. Ellison, C., Schneier, B.: Ten Risks of PKI: What You’re Not Being Told About Public Key Infrastructure. Computer Security Journal 16(1), 1–7 (2000)

    Google Scholar 

  14. Engert, K.: MECAI (2011), http://kuix.de/mecai/

  15. Engler, J., Karlof, C., Shi, E., Song, D.: Is It Too Late for PAKE? In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop (2009)

    Google Scholar 

  16. Evans, C., Palmer, C.: Certificate Pinning Extension for HSTS (2011), http://www.ietf.org/mail-archive/web/websec/current/pdfnSTRd9kYcY.pdf

  17. Freier, A., Karlton, P., Kocher, P.: RFC 6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0 (2011), https://tools.ietf.org/html/rfc6101

  18. Goodin, D.: Web Authentication Authority Suffers Security Breach (2011), http://www.theregister.co.uk/2011/06/21/startssl_security_breach/

  19. Gutman, P.: PKI: It’s Not Dead, Just Resting. Computer 35(8), 41–49 (2002)

    CrossRef  Google Scholar 

  20. Hoffman, P., Schlyter, J.: IETF Internet-Draft: Using Secure DNS to Associate Certificates with Domain Names For TLS (draft-ietf-dane-protocol-06) (2011), http://tools.ietf.org/html/draft-ietf-dane-protocol-06

  21. International Telecommunication Union: ITU-T Recommendation X.1035: Password-Authenticated Key Exchange (PAK) Protocol (2007), http://www.itu.int/rec/T-REC-X.1035/en

  22. Keizer, G.: Hackers May Have Stolen Over 200 SSL Certificates (2011), https://www.computerworld.com/s/article/9219663/Hackers_may_have_stolen_over_200_SSL_certificates

  23. Kirk, J.: KPN Stops Issuing SSL Certificates After Possible Breach (2011), https://www.pcworld.com/businesscenter/article/243275/kpn_stops_issuing_ssl_certificates_after_possible_breach.html

  24. Langley, A.: Revocation Doesn’t Work (2011), http://www.imperialviolet.org/2011/03/18/revocation.html

  25. Laurie, B., Langley, A.: Certificate Authority Transparency and Auditability (2011), http://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf

  26. Leyden, J.: Inside ’Operation Black Tulip’: DigiNotar Hack Analysed (2011), http://www.theregister.co.uk/2011/09/06/diginotar_audit_damning_fail/

  27. Leyden, J.: Trustwave Admits Crafting SSL Snooping Certificate (2012), http://www.theregister.co.uk/2012/02/09/tustwave_disavows_mitm_digital_cert/

  28. MacKenzie, P.: The PAK suite: Protocols for Password-Authenticated Key Exchange. In: IEEE P1363.2: Password-Based Public-Key Cryptography (2002)

    Google Scholar 

  29. MacKenzie, P.D., Patel, S.: Hard Bits of the Discrete Log with Applications to Password Authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 209–226. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  30. Marlinspike, M.: Convergence (2011), http://convergence.io/

  31. Oiwa, Y., Takagi, H., Watanabe, H., Suzuki, H.: PAKE-based Mutual HTTP Authentication for Preventing Phishing Attacks (Poster). In: Proceedings of the International Conference on World Wide Web, WWW (2009)

    Google Scholar 

  32. Oppliger, R., Hauser, R., Basin, D.: SSL/TLS Session-Aware User Authentication. Computer 41(3), 59–65 (2008)

    CrossRef  Google Scholar 

  33. Parno, B., Kuo, C., Perrig, A.: Phoolproof Phishing Prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  34. Richmond, R.: An Attack Sheds Light on Internet Security Holes (2011), http://www.nytimes.com/2011/04/07/technology/07hack.html

  35. Singel, R.: Law Enforcement Appliance Subverts SSL (2010), http://www.wired.com/threatlevel/2010/03/packet-forensics/

  36. Soghoian, C., Stamm, S.: Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  37. Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication (2007), http://tools.ietf.org/html/rfc5054

  38. Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-path Probing. In: Proceedings of the USENIX Annual Technical Conference, ATC (2008)

    Google Scholar 

  39. Williams, N.: RFC 5056 - On the Use of Channel Bindings to Secure Channels (2007), http://tools.ietf.org/html/rfc5056

  40. Wu, T.: The Secure Remote Password Protocol. In: Proceedings of the Network and Distributed System Security Symposium (1998)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Converging Infrastructure Security (CISEC) Laboratory, Georgia Tech Information Security Center (GTISC), Georgia Institute of Technology, USA

    Italo Dacosta, Mustaque Ahamad & Patrick Traynor

Authors
  1. Italo Dacosta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mustaque Ahamad
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patrick Traynor
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Informatica, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, Italy

    Sara Foresti

  2. Computer Science Department, Columbia University, 1214 Amsterdam Avenue, 10025, New York, NY, US

    Moti Yung

  3. Institute of Informatics and Telematics, Information Security Group, National Research Council, Pisa Research Area, Via G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dacosta, I., Ahamad, M., Traynor, P. (2012). Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties. In: Foresti, S., Yung, M., Martinelli, F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33167-1_12

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-33167-1_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33166-4

  • Online ISBN: 978-3-642-33167-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature