Visible to the public That's the Way the Cookie Crumbles: Evaluating HTTPS Enforcing Mechanisms

TitleThat's the Way the Cookie Crumbles: Evaluating HTTPS Enforcing Mechanisms
Publication TypeConference Paper
Year of Publication2016
AuthorsSivakorn, Suphannee, Keromytis, Angelos D., Polakis, Jason
Conference NameProceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society
Date PublishedOctober 2016
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4569-9
Keywordsanonymity, anonymity in wireless networks, browser security, composability, eavesdropping, HTTP strict transport security, HTTPs, HTTPs everywhere, Human Behavior, Metrics, privacy, pubcrawl, Resiliency, web security
Abstract

Recent incidents have once again brought the topic of encryption to public discourse, while researchers continue to demonstrate attacks that highlight the difficulty of implementing encryption even without the presence of "backdoors". However, apart from the threat of implementation flaws in encryption libraries, another significant threat arises when web services fail to enforce ubiquitous encryption. A recent study explored this phenomenon in popular services, and demonstrated how users are exposed to cookie hijacking attacks with severe privacy implications. Many security mechanisms purport to eliminate this problem, ranging from server-controlled options such as HSTS to user-controlled options such as HTTPS Everywhere and other browser extensions. In this paper, we create a taxonomy of available mechanisms and evaluate how they perform in practice. We design an automated testing framework for these mechanisms, and evaluate them using a dataset of 30 days of HTTP requests collected from the public wireless network of our university's campus. We find that all mechanisms suffer from implementation flaws or deployment issues and argue that, as long as servers continue to not support ubiquitous encryption across their entire domain (including all subdomains), no mechanism can effectively protect users from cookie hijacking and information leakage.

URLhttps://dl.acm.org/doi/10.1145/2994620.2994638
DOI10.1145/2994620.2994638
Citation Keysivakorn_thats_2016