Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009.

Similar presentations


Presentation on theme: "1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009."— Presentation transcript:

1 1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009

2 2 IEEE Symposium on Security and Privacy, May 2009 HTTPS: end-to-end secure protocol for web traffic. Adversary assumption: MITM (man-in-the-middle). browser HTTPS server Internet proxy SSL tunnel Are todays browser implementations consistent with this assumption?

3 3 IEEE Symposium on Security and Privacy, May 2009 Key finding A class of browser vulnerabilities (demo) proxy can defeat end-to-end security promised by HTTPSdemo Vulnerabilities exist in all major browsers Industry outreach Technical work finished in summer 2007 Paper withheld until this conference Worked with all vendors to address the issues

4 4 IEEE Symposium on Security and Privacy, May 2009 TCP/IP HTTP/HTTPS Rendering modules Browser PBP HTTPS server Unencrypted SSL tunnel, encrypted HTTP/HTTPS

5 5 IEEE Symposium on Security and Privacy, May 2009 Key issue: browsers load unencrypted content from proxy in the HTTPS context of the victim server Attack 1: Proxys error response Attack 2: Proxys redirection Attack 3: HTTP-intended pages that are HTTPS loadable Attack 4: Visual context (GUI behavior, no script)

6 6 IEEE Symposium on Security and Privacy, May 2009

';
Ads by Google