Exploring HTTPS Security Inconsistencies: A Cross-Regional Perspective

10/20/2020
by   Eman Salem Alashwali, et al.
0

If two or more identical HTTPS clients, located at different geographic locations (regions), make an HTTPS request to the same domain (e.g. example.com), on the same day, will they receive the same HTTPS security guarantees in response? Our results give evidence that this is not always the case. We conduct scans for the top 250,000 most visited domains on the Internet, from clients located at five different regions: Australia, Brazil, India, the UK, and the US. Our scans gather data from both application (URLs and HTTP headers) and transport (servers' selected TLS version, ciphersuite, and certificate) layers. Overall, we find that HTTPS inconsistencies at the application layer are higher than those at the transport layer. We also find that HTTPS security inconsistencies are strongly related to URLs and IPs diversity among regions, and to a lesser extent to the presence of redirections. Further manual inspection shows that there are several reasons behind URLs diversity among regions such as downgrading to the plain-HTTP protocol, using different subdomains, different TLDs, or different home page documents. Furthermore, we find that downgrading to plain-HTTP is related to websites' regional blocking. We also provide attack scenarios that show how an attacker can benefit from HTTPS security inconsistencies, and introduce a new attack scenario which we call the "region confusion" attack. Finally, based on our analysis and observations, we provide discussion, which include some recommendations such as the need for testing tools for domain administrators and users that help to mitigate and detect regional domains' inconsistencies, standardising regional domains format with the same-origin policy (of domains) in mind, standardising secure URL redirections, and avoid redirections whenever possible.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 6

page 7

06/15/2019

Does "www." Mean Better Transport Layer Security?

Experience shows that most researchers and developers tend to treat plai...
02/24/2021

Measuring HTTP/3: Adoption and Performance

The third version of the Hypertext Transfer Protocol (HTTP) is currently...
09/13/2019

An Empirical Study of the Cost of DNS-over-HTTPS

DNS is a vital component for almost every networked application. Origina...
05/29/2018

Exploring Server-side Blocking of Regions

One of the Internet's greatest strengths is the degree to which it facil...
04/04/2018

Co Hijacking Monitor: Collaborative Detecting and Locating Mechanism for HTTP Spectral Hijacking

With the rapid growth of mobile internet, mobile application, like websi...
09/15/2018

DSTC: DNS-based Strict TLS Configurations

Most TLS clients such as modern web browsers enforce coarse-grained TLS ...
07/30/2019

The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods

TLS 1.3 marks a significant departure from previous versions of the Tran...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.