Explore a comprehensive analysis of HTTPS vulnerabilities and their impact on web application security in this 20-minute IEEE conference talk. Delve into the complexities of SSL/TLS protocol suites and their susceptibility to various attacks. Examine the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities, focusing on the Alexa Top 10k websites. Discover how attack trees are used to specify conditions against TLS and assess the implications for page integrity, authentication credentials, and web tracking. Gain insights into how a limited number of exploitable HTTPS vulnerabilities are amplified by the intricacies of the web ecosystem, affecting the security of numerous websites due to external or related-domain hosts.
Postcards from the Post HTTP World - Amplification of HTTPS Vulnerabilities in the Web Ecosystem
Overview
Syllabus
Intro
A dirge for HTTP
But can we trust HTTPS?
Vulnerability amplification
Contributions
Attack trees for TLS security
Data collection
Preliminary statistics
Page integrity
Cookies: results
Closing remarks
Taught by
IEEE Symposium on Security and Privacy
