Visible to the public Biblio

Filters: Keyword is Certificate Validation  [Clear All Filters]
2022-12-20
Şimşek, Merve Melis, Ergun, Tamer, Temuçin, Hüseyin.  2022.  SSL Test Suite: SSL Certificate Test Public Key Infrastructure. 2022 30th Signal Processing and Communications Applications Conference (SIU). :1–4.
Today, many internet-based applications, especially e-commerce and banking applications, require the transfer of personal data and sensitive data such as credit card information, and in this process, all operations are carried out over the Internet. Users frequently perform these transactions, which require high security, on web sites they access via web browsers. This makes the browser one of the most basic software on the Internet. The security of the communication between the user and the website is provided with SSL certificates, which is used for server authentication. Certificates issued by Certificate Authorities (CA) that have passed international audits must meet certain conditions. The criteria for the issuance of certificates are defined in the Baseline Requirements (BR) document published by the Certificate Authority/Browser (CA/B) Forum, which is accepted as the authority in the WEB Public Key Infrastructure (WEB PKI) ecosystem. Issuing the certificates in accordance with the defined criteria is not sufficient on its own to establish a secure SSL connection. In order to ensure a secure connection and confirm the identity of the website, the certificate validation task falls to the web browsers with which users interact the most. In this study, a comprehensive SSL certificate public key infrastructure (SSL Test Suite) was established to test the behavior of web browsers against certificates that do not comply with BR requirements. With the designed test suite, it is aimed to analyze the certificate validation behaviors of web browsers effectively.
ISSN: 2165-0608
2019-10-30
Meng, Na, Nagy, Stefan, Yao, Danfeng, Zhuang, Wenjie, Arango-Argoty, Gustavo.  2018.  Secure Coding Practices in Java: Challenges and Vulnerabilities. 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). :372-383.

The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security - a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverflow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.

2017-12-20
Wazan, A. S., Laborde, R., Chadwick, D. W., Barrere, F., Benzekri, A..  2017.  TLS Connection Validation by Web Browsers: Why do Web Browsers Still Not Agree? 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC). 1:665–674.
The TLS protocol is the primary technology used for securing web transactions. It is based on X.509 certificates that are used for binding the identity of web servers' owners to their public keys. Web browsers perform the validation of X.509 certificates on behalf of Web users. Our previous research in 2009 showed that the validation process of Web browsers is inconsistent and flawed. We showed how this situation might have a negative impact on Web users. From 2009 until now, many new X.509 related standards have been created or updated. In this paper, we performed an increased set of experiments over our 2009 study in order to highlight the improvements and/or regressions in Web browsers' behaviours.