Abstract
A new Man-in-the-Middle (MitM) attack called SSLStrip poses a serious threat to the security of secure socket layer protocol. Although some researchers have presented some schemes to resist such attack, until now there is still no practical countermeasure. To withstand SSLStrip attack, in this paper we propose a scheme named Cookie-Proxy, including a secure cookie protocol and a new topology structure. The topology structure is composed of a proxy pattern and a reverse proxy pattern. Experiment results and formal security proof using SVO logic show that our scheme is effective to prevent SSLStrip attack. Besides, our scheme spends little extra time cost and little extra communication cost comparing with previous secure cookie protocols.
Chapter PDF
Similar content being viewed by others
References
Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-middle attack to the https protocol. IEEE Security Privacy 7(1), 78–81 (2009)
Nikiforakis, N., Younan, Y., Joosen, W.: HProxy: Client-Side Detection of SSL Stripping Attacks. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 200–218. Springer, Heidelberg (2010)
Shin, D., Lopes, R.: An empirical study of visual security cues to prevent the sslstripping attack. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 287–296. ACM, New York (2011)
Fung, A.P.H., Cheung, K.W.: Sslock: sustaining the trust on entities brought by ssl. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 204–213. ACM, New York (2010)
Liu, A., Kovacs, J., Gouda, M.: A secure cookie scheme. Computer Networks 56(6), 1723–1730 (2012)
Fu, K., Sit, E., Smith, K., Feamster, N.: Dos and donts of client authentication on the web. In: Proceedings of the 10th Conference on USENIX Security Symposium, SSYM 2001, vol. 10, pp. 19–35. USENIX Association, Berkeley (2001)
Liu, A., Kovacs, J., Huang, C.T., Gouda, M.: A secure cookie protocol. In: Proceeding of 14th International Conference on Computer Communications and Networks, ICCCN 2005, pp. 333–338 (October 2005)
Pujolle, G., Serhrouchni, A., Ayadi, I.: Secure session management with cookies. In: Processing of 7th International Conference on Information, Communications and Signal, ICICS 2009, pp. 1–6 (December 2009)
Sommerlad, P.: Reverse proxy patterns. In: European Conference on Pattern Languages of Programming, EuroPLoP 2003 (2003)
Barth, A.: HTTP State Management Mechanism, IETF Internet-Draft (2010), https://datatracker.ietf.org/doc/draft-ietf-httpstate-cookie/
Wang, D., Ma, C., Weng, C., Jia, C.: Cryptanalysis and Improvement of a Remote User Authentication Scheme for Resource-Limited Environment. Journal of Electronics & Information Technology (in press, 2012)
Syverson, P., Van Oorschot, P.: A unified cryptographic protocol logic. Technical report, DTIC Document (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhao, S., Wang, D., Zhao, S., Yang, W., Ma, C. (2012). Cookie-Proxy: A Scheme to Prevent SSLStrip Attack. In: Chim, T.W., Yuen, T.H. (eds) Information and Communications Security. ICICS 2012. Lecture Notes in Computer Science, vol 7618. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34129-8_34
Download citation
DOI: https://doi.org/10.1007/978-3-642-34129-8_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34128-1
Online ISBN: 978-3-642-34129-8
eBook Packages: Computer ScienceComputer Science (R0)