Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning
In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks o...
Ausführliche Beschreibung
Autor*in: |
Yaoqi Jia [verfasserIn] |
---|
Format: |
Artikel |
---|---|
Sprache: |
Englisch |
Erschienen: |
2015 |
---|
Rechteinformationen: |
Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V. |
---|
Schlagwörter: |
---|
Übergeordnetes Werk: |
Enthalten in: Computers & security - Kidlington, Oxford : Elsevier, 1982, 55(2015), Seite 62-80 |
---|---|
Übergeordnetes Werk: |
volume:55 ; year:2015 ; pages:62-80 |
Links: |
---|
DOI / URN: |
10.1016/j.cose.2015.07.004 |
---|
Katalog-ID: |
OLC1968932836 |
---|
LEADER | 01000caa a2200265 4500 | ||
---|---|---|---|
001 | OLC1968932836 | ||
003 | DE-627 | ||
005 | 20230714173322.0 | ||
007 | tu | ||
008 | 160206s2015 xx ||||| 00| ||eng c | ||
024 | 7 | |a 10.1016/j.cose.2015.07.004 |2 doi | |
028 | 5 | 2 | |a PQ20160617 |
035 | |a (DE-627)OLC1968932836 | ||
035 | |a (DE-599)GBVOLC1968932836 | ||
035 | |a (PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0 | ||
035 | |a (KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows | ||
040 | |a DE-627 |b ger |c DE-627 |e rakwb | ||
041 | |a eng | ||
082 | 0 | 4 | |a 004 |q DNB |
100 | 0 | |a Yaoqi Jia |e verfasserin |4 aut | |
245 | 1 | 0 | |a Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning |
264 | 1 | |c 2015 | |
336 | |a Text |b txt |2 rdacontent | ||
337 | |a ohne Hilfsmittel zu benutzen |b n |2 rdamedia | ||
338 | |a Band |b nc |2 rdacarrier | ||
520 | |a In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. | ||
540 | |a Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V. | ||
650 | 4 | |a Cache | |
650 | 4 | |a Web browsers | |
650 | 4 | |a Studies | |
650 | 4 | |a Secure Sockets Layer protocol | |
650 | 4 | |a Internet Protocol | |
650 | 4 | |a Network security | |
700 | 0 | |a Yue Chen |4 oth | |
700 | 0 | |a Xinshu Dong |4 oth | |
700 | 0 | |a Prateek Saxena |4 oth | |
700 | 0 | |a Jian Mao |4 oth | |
700 | 0 | |a Zhenkai Liang |4 oth | |
773 | 0 | 8 | |i Enthalten in |t Computers & security |d Kidlington, Oxford : Elsevier, 1982 |g 55(2015), Seite 62-80 |w (DE-627)130549738 |w (DE-600)782630-8 |w (DE-576)016107063 |x 0167-4048 |7 nnns |
773 | 1 | 8 | |g volume:55 |g year:2015 |g pages:62-80 |
856 | 4 | 1 | |u http://dx.doi.org/10.1016/j.cose.2015.07.004 |3 Volltext |
856 | 4 | 2 | |u http://search.proquest.com/docview/1733195049 |
912 | |a GBV_USEFLAG_A | ||
912 | |a SYSFLAG_A | ||
912 | |a GBV_OLC | ||
912 | |a SSG-OLC-MAT | ||
912 | |a GBV_ILN_21 | ||
912 | |a GBV_ILN_70 | ||
912 | |a GBV_ILN_130 | ||
912 | |a GBV_ILN_4247 | ||
912 | |a GBV_ILN_4318 | ||
951 | |a AR | ||
952 | |d 55 |j 2015 |h 62-80 |
author_variant |
y j yj |
---|---|
matchkey_str |
article:01674048:2015----::aiterwecceessigtpatcsibo |
hierarchy_sort_str |
2015 |
publishDate |
2015 |
allfields |
10.1016/j.cose.2015.07.004 doi PQ20160617 (DE-627)OLC1968932836 (DE-599)GBVOLC1968932836 (PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0 (KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows DE-627 ger DE-627 rakwb eng 004 DNB Yaoqi Jia verfasserin aut Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning 2015 Text txt rdacontent ohne Hilfsmittel zu benutzen n rdamedia Band nc rdacarrier In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V. Cache Web browsers Studies Secure Sockets Layer protocol Internet Protocol Network security Yue Chen oth Xinshu Dong oth Prateek Saxena oth Jian Mao oth Zhenkai Liang oth Enthalten in Computers & security Kidlington, Oxford : Elsevier, 1982 55(2015), Seite 62-80 (DE-627)130549738 (DE-600)782630-8 (DE-576)016107063 0167-4048 nnns volume:55 year:2015 pages:62-80 http://dx.doi.org/10.1016/j.cose.2015.07.004 Volltext http://search.proquest.com/docview/1733195049 GBV_USEFLAG_A SYSFLAG_A GBV_OLC SSG-OLC-MAT GBV_ILN_21 GBV_ILN_70 GBV_ILN_130 GBV_ILN_4247 GBV_ILN_4318 AR 55 2015 62-80 |
spelling |
10.1016/j.cose.2015.07.004 doi PQ20160617 (DE-627)OLC1968932836 (DE-599)GBVOLC1968932836 (PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0 (KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows DE-627 ger DE-627 rakwb eng 004 DNB Yaoqi Jia verfasserin aut Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning 2015 Text txt rdacontent ohne Hilfsmittel zu benutzen n rdamedia Band nc rdacarrier In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V. Cache Web browsers Studies Secure Sockets Layer protocol Internet Protocol Network security Yue Chen oth Xinshu Dong oth Prateek Saxena oth Jian Mao oth Zhenkai Liang oth Enthalten in Computers & security Kidlington, Oxford : Elsevier, 1982 55(2015), Seite 62-80 (DE-627)130549738 (DE-600)782630-8 (DE-576)016107063 0167-4048 nnns volume:55 year:2015 pages:62-80 http://dx.doi.org/10.1016/j.cose.2015.07.004 Volltext http://search.proquest.com/docview/1733195049 GBV_USEFLAG_A SYSFLAG_A GBV_OLC SSG-OLC-MAT GBV_ILN_21 GBV_ILN_70 GBV_ILN_130 GBV_ILN_4247 GBV_ILN_4318 AR 55 2015 62-80 |
allfields_unstemmed |
10.1016/j.cose.2015.07.004 doi PQ20160617 (DE-627)OLC1968932836 (DE-599)GBVOLC1968932836 (PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0 (KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows DE-627 ger DE-627 rakwb eng 004 DNB Yaoqi Jia verfasserin aut Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning 2015 Text txt rdacontent ohne Hilfsmittel zu benutzen n rdamedia Band nc rdacarrier In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V. Cache Web browsers Studies Secure Sockets Layer protocol Internet Protocol Network security Yue Chen oth Xinshu Dong oth Prateek Saxena oth Jian Mao oth Zhenkai Liang oth Enthalten in Computers & security Kidlington, Oxford : Elsevier, 1982 55(2015), Seite 62-80 (DE-627)130549738 (DE-600)782630-8 (DE-576)016107063 0167-4048 nnns volume:55 year:2015 pages:62-80 http://dx.doi.org/10.1016/j.cose.2015.07.004 Volltext http://search.proquest.com/docview/1733195049 GBV_USEFLAG_A SYSFLAG_A GBV_OLC SSG-OLC-MAT GBV_ILN_21 GBV_ILN_70 GBV_ILN_130 GBV_ILN_4247 GBV_ILN_4318 AR 55 2015 62-80 |
allfieldsGer |
10.1016/j.cose.2015.07.004 doi PQ20160617 (DE-627)OLC1968932836 (DE-599)GBVOLC1968932836 (PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0 (KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows DE-627 ger DE-627 rakwb eng 004 DNB Yaoqi Jia verfasserin aut Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning 2015 Text txt rdacontent ohne Hilfsmittel zu benutzen n rdamedia Band nc rdacarrier In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V. Cache Web browsers Studies Secure Sockets Layer protocol Internet Protocol Network security Yue Chen oth Xinshu Dong oth Prateek Saxena oth Jian Mao oth Zhenkai Liang oth Enthalten in Computers & security Kidlington, Oxford : Elsevier, 1982 55(2015), Seite 62-80 (DE-627)130549738 (DE-600)782630-8 (DE-576)016107063 0167-4048 nnns volume:55 year:2015 pages:62-80 http://dx.doi.org/10.1016/j.cose.2015.07.004 Volltext http://search.proquest.com/docview/1733195049 GBV_USEFLAG_A SYSFLAG_A GBV_OLC SSG-OLC-MAT GBV_ILN_21 GBV_ILN_70 GBV_ILN_130 GBV_ILN_4247 GBV_ILN_4318 AR 55 2015 62-80 |
allfieldsSound |
10.1016/j.cose.2015.07.004 doi PQ20160617 (DE-627)OLC1968932836 (DE-599)GBVOLC1968932836 (PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0 (KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows DE-627 ger DE-627 rakwb eng 004 DNB Yaoqi Jia verfasserin aut Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning 2015 Text txt rdacontent ohne Hilfsmittel zu benutzen n rdamedia Band nc rdacarrier In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V. Cache Web browsers Studies Secure Sockets Layer protocol Internet Protocol Network security Yue Chen oth Xinshu Dong oth Prateek Saxena oth Jian Mao oth Zhenkai Liang oth Enthalten in Computers & security Kidlington, Oxford : Elsevier, 1982 55(2015), Seite 62-80 (DE-627)130549738 (DE-600)782630-8 (DE-576)016107063 0167-4048 nnns volume:55 year:2015 pages:62-80 http://dx.doi.org/10.1016/j.cose.2015.07.004 Volltext http://search.proquest.com/docview/1733195049 GBV_USEFLAG_A SYSFLAG_A GBV_OLC SSG-OLC-MAT GBV_ILN_21 GBV_ILN_70 GBV_ILN_130 GBV_ILN_4247 GBV_ILN_4318 AR 55 2015 62-80 |
language |
English |
source |
Enthalten in Computers & security 55(2015), Seite 62-80 volume:55 year:2015 pages:62-80 |
sourceStr |
Enthalten in Computers & security 55(2015), Seite 62-80 volume:55 year:2015 pages:62-80 |
format_phy_str_mv |
Article |
institution |
findex.gbv.de |
topic_facet |
Cache Web browsers Studies Secure Sockets Layer protocol Internet Protocol Network security |
dewey-raw |
004 |
isfreeaccess_bool |
false |
container_title |
Computers & security |
authorswithroles_txt_mv |
Yaoqi Jia @@aut@@ Yue Chen @@oth@@ Xinshu Dong @@oth@@ Prateek Saxena @@oth@@ Jian Mao @@oth@@ Zhenkai Liang @@oth@@ |
publishDateDaySort_date |
2015-01-01T00:00:00Z |
hierarchy_top_id |
130549738 |
dewey-sort |
14 |
id |
OLC1968932836 |
language_de |
englisch |
fullrecord |
<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01000caa a2200265 4500</leader><controlfield tag="001">OLC1968932836</controlfield><controlfield tag="003">DE-627</controlfield><controlfield tag="005">20230714173322.0</controlfield><controlfield tag="007">tu</controlfield><controlfield tag="008">160206s2015 xx ||||| 00| ||eng c</controlfield><datafield tag="024" ind1="7" ind2=" "><subfield code="a">10.1016/j.cose.2015.07.004</subfield><subfield code="2">doi</subfield></datafield><datafield tag="028" ind1="5" ind2="2"><subfield code="a">PQ20160617</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-627)OLC1968932836</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)GBVOLC1968932836</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-627</subfield><subfield code="b">ger</subfield><subfield code="c">DE-627</subfield><subfield code="e">rakwb</subfield></datafield><datafield tag="041" ind1=" " ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="082" ind1="0" ind2="4"><subfield code="a">004</subfield><subfield code="q">DNB</subfield></datafield><datafield tag="100" ind1="0" ind2=" "><subfield code="a">Yaoqi Jia</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="c">2015</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="a">Text</subfield><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="a">ohne Hilfsmittel zu benutzen</subfield><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="a">Band</subfield><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="520" ind1=" " ind2=" "><subfield code="a">In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion.</subfield></datafield><datafield tag="540" ind1=" " ind2=" "><subfield code="a">Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V.</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Cache</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Web browsers</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Studies</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Secure Sockets Layer protocol</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Internet Protocol</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Network security</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Yue Chen</subfield><subfield code="4">oth</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Xinshu Dong</subfield><subfield code="4">oth</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Prateek Saxena</subfield><subfield code="4">oth</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Jian Mao</subfield><subfield code="4">oth</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Zhenkai Liang</subfield><subfield code="4">oth</subfield></datafield><datafield tag="773" ind1="0" ind2="8"><subfield code="i">Enthalten in</subfield><subfield code="t">Computers & security</subfield><subfield code="d">Kidlington, Oxford : Elsevier, 1982</subfield><subfield code="g">55(2015), Seite 62-80</subfield><subfield code="w">(DE-627)130549738</subfield><subfield code="w">(DE-600)782630-8</subfield><subfield code="w">(DE-576)016107063</subfield><subfield code="x">0167-4048</subfield><subfield code="7">nnns</subfield></datafield><datafield tag="773" ind1="1" ind2="8"><subfield code="g">volume:55</subfield><subfield code="g">year:2015</subfield><subfield code="g">pages:62-80</subfield></datafield><datafield tag="856" ind1="4" ind2="1"><subfield code="u">http://dx.doi.org/10.1016/j.cose.2015.07.004</subfield><subfield code="3">Volltext</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="u">http://search.proquest.com/docview/1733195049</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_USEFLAG_A</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">SYSFLAG_A</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_OLC</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">SSG-OLC-MAT</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_21</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_70</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_130</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4247</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4318</subfield></datafield><datafield tag="951" ind1=" " ind2=" "><subfield code="a">AR</subfield></datafield><datafield tag="952" ind1=" " ind2=" "><subfield code="d">55</subfield><subfield code="j">2015</subfield><subfield code="h">62-80</subfield></datafield></record></collection>
|
author |
Yaoqi Jia |
spellingShingle |
Yaoqi Jia ddc 004 misc Cache misc Web browsers misc Studies misc Secure Sockets Layer protocol misc Internet Protocol misc Network security Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning |
authorStr |
Yaoqi Jia |
ppnlink_with_tag_str_mv |
@@773@@(DE-627)130549738 |
format |
Article |
dewey-ones |
004 - Data processing & computer science |
delete_txt_mv |
keep |
author_role |
aut |
collection |
OLC |
remote_str |
false |
illustrated |
Not Illustrated |
issn |
0167-4048 |
topic_title |
004 DNB Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning Cache Web browsers Studies Secure Sockets Layer protocol Internet Protocol Network security |
topic |
ddc 004 misc Cache misc Web browsers misc Studies misc Secure Sockets Layer protocol misc Internet Protocol misc Network security |
topic_unstemmed |
ddc 004 misc Cache misc Web browsers misc Studies misc Secure Sockets Layer protocol misc Internet Protocol misc Network security |
topic_browse |
ddc 004 misc Cache misc Web browsers misc Studies misc Secure Sockets Layer protocol misc Internet Protocol misc Network security |
format_facet |
Aufsätze Gedruckte Aufsätze |
format_main_str_mv |
Text Zeitschrift/Artikel |
carriertype_str_mv |
nc |
author2_variant |
y c yc x d xd p s ps j m jm z l zl |
hierarchy_parent_title |
Computers & security |
hierarchy_parent_id |
130549738 |
dewey-tens |
000 - Computer science, knowledge & systems |
hierarchy_top_title |
Computers & security |
isfreeaccess_txt |
false |
familylinks_str_mv |
(DE-627)130549738 (DE-600)782630-8 (DE-576)016107063 |
title |
Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning |
ctrlnum |
(DE-627)OLC1968932836 (DE-599)GBVOLC1968932836 (PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0 (KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows |
title_full |
Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning |
author_sort |
Yaoqi Jia |
journal |
Computers & security |
journalStr |
Computers & security |
lang_code |
eng |
isOA_bool |
false |
dewey-hundreds |
000 - Computer science, information & general works |
recordtype |
marc |
publishDateSort |
2015 |
contenttype_str_mv |
txt |
container_start_page |
62 |
author_browse |
Yaoqi Jia |
container_volume |
55 |
class |
004 DNB |
format_se |
Aufsätze |
author-letter |
Yaoqi Jia |
doi_str_mv |
10.1016/j.cose.2015.07.004 |
dewey-full |
004 |
title_sort |
man-in-the-browser-cache: persisting https attacks via browser cache poisoning |
title_auth |
Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning |
abstract |
In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. |
abstractGer |
In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. |
abstract_unstemmed |
In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion. |
collection_details |
GBV_USEFLAG_A SYSFLAG_A GBV_OLC SSG-OLC-MAT GBV_ILN_21 GBV_ILN_70 GBV_ILN_130 GBV_ILN_4247 GBV_ILN_4318 |
title_short |
Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning |
url |
http://dx.doi.org/10.1016/j.cose.2015.07.004 http://search.proquest.com/docview/1733195049 |
remote_bool |
false |
author2 |
Yue Chen Xinshu Dong Prateek Saxena Jian Mao Zhenkai Liang |
author2Str |
Yue Chen Xinshu Dong Prateek Saxena Jian Mao Zhenkai Liang |
ppnlink |
130549738 |
mediatype_str_mv |
n |
isOA_txt |
false |
hochschulschrift_bool |
false |
author2_role |
oth oth oth oth oth |
doi_str |
10.1016/j.cose.2015.07.004 |
up_date |
2024-07-04T04:29:50.270Z |
_version_ |
1803621383817658368 |
fullrecord_marcxml |
<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01000caa a2200265 4500</leader><controlfield tag="001">OLC1968932836</controlfield><controlfield tag="003">DE-627</controlfield><controlfield tag="005">20230714173322.0</controlfield><controlfield tag="007">tu</controlfield><controlfield tag="008">160206s2015 xx ||||| 00| ||eng c</controlfield><datafield tag="024" ind1="7" ind2=" "><subfield code="a">10.1016/j.cose.2015.07.004</subfield><subfield code="2">doi</subfield></datafield><datafield tag="028" ind1="5" ind2="2"><subfield code="a">PQ20160617</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-627)OLC1968932836</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)GBVOLC1968932836</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(PRQ)c2426-b74126a2fb93a54978642d40503f229c573510da799554cb62b5d2ea2e171d6c0</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(KEY)0111913320150000055000000062maninthebrowsercachepersistinghttpsattacksviabrows</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-627</subfield><subfield code="b">ger</subfield><subfield code="c">DE-627</subfield><subfield code="e">rakwb</subfield></datafield><datafield tag="041" ind1=" " ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="082" ind1="0" ind2="4"><subfield code="a">004</subfield><subfield code="q">DNB</subfield></datafield><datafield tag="100" ind1="0" ind2=" "><subfield code="a">Yaoqi Jia</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="c">2015</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="a">Text</subfield><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="a">ohne Hilfsmittel zu benutzen</subfield><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="a">Band</subfield><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="520" ind1=" " ind2=" "><subfield code="a">In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion.</subfield></datafield><datafield tag="540" ind1=" " ind2=" "><subfield code="a">Nutzungsrecht: © COPYRIGHT 2015 Elsevier B.V.</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Cache</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Web browsers</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Studies</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Secure Sockets Layer protocol</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Internet Protocol</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Network security</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Yue Chen</subfield><subfield code="4">oth</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Xinshu Dong</subfield><subfield code="4">oth</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Prateek Saxena</subfield><subfield code="4">oth</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Jian Mao</subfield><subfield code="4">oth</subfield></datafield><datafield tag="700" ind1="0" ind2=" "><subfield code="a">Zhenkai Liang</subfield><subfield code="4">oth</subfield></datafield><datafield tag="773" ind1="0" ind2="8"><subfield code="i">Enthalten in</subfield><subfield code="t">Computers & security</subfield><subfield code="d">Kidlington, Oxford : Elsevier, 1982</subfield><subfield code="g">55(2015), Seite 62-80</subfield><subfield code="w">(DE-627)130549738</subfield><subfield code="w">(DE-600)782630-8</subfield><subfield code="w">(DE-576)016107063</subfield><subfield code="x">0167-4048</subfield><subfield code="7">nnns</subfield></datafield><datafield tag="773" ind1="1" ind2="8"><subfield code="g">volume:55</subfield><subfield code="g">year:2015</subfield><subfield code="g">pages:62-80</subfield></datafield><datafield tag="856" ind1="4" ind2="1"><subfield code="u">http://dx.doi.org/10.1016/j.cose.2015.07.004</subfield><subfield code="3">Volltext</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="u">http://search.proquest.com/docview/1733195049</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_USEFLAG_A</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">SYSFLAG_A</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_OLC</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">SSG-OLC-MAT</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_21</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_70</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_130</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4247</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4318</subfield></datafield><datafield tag="951" ind1=" " ind2=" "><subfield code="a">AR</subfield></datafield><datafield tag="952" ind1=" " ind2=" "><subfield code="d">55</subfield><subfield code="j">2015</subfield><subfield code="h">62-80</subfield></datafield></record></collection>
|
score |
7.3992214 |