Published March 30, 2024 | Version CC-BY-NC-ND 4.0
Journal article Open

Survey of Attacks Against HTTPS: Analysis, Exploitation, and Mitigation Strategies

Authors/Creators

  • 1. Department of Information Security, Carnegie Mellon University, San Jose, United States.

Contributors

Contact person:

  • 1. Department of Information Security, Carnegie Mellon University, San Jose, United States.
  • 2. Nitin Srinivasan, Department of Computer Science, University of Massachusetts Amherst, Sunnyvale, United States.
  • 3. Praveen Kumar Sridhar, Department of Data Science, Northeastern University, San Jose, United States.
  • 4. Kishore Kumar Perumalsamy, Department of Computer Science, Carnegie Mellon University, San Jose, United States.

Description

Abstract: This research paper aims to provide a comprehensive overview of known attacks against HTTPS, focusing on the SSL and TLS protocols. The paper begins by explaining the working of HTTPS, followed by detailed descriptions of SSL and TLS protocols. Subsequently, it explores common attacks against HTTPS, providing an in-depth analysis of each attack, along with proof-of-concept (PoC) demonstrations. Furthermore, the paper outlines mitigation strategies to address each attack, emphasizing the importance of proactive security measures. Finally, a conclusion is drawn, highlighting the evolving nature of HTTPS attacks and the continuous need for robust security practices.

Files

D982613040324.pdf

Files (351.4 kB)

Name Size Download all
md5:e821dac4fe469a95df52f322832ffbf3
351.4 kB Preview Download

Additional details

Identifiers

DOI
10.35940/ijitee.D9826.13040324
EISSN
2278-3075

Dates

Accepted
2024-03-15
Manuscript received on 28 February 2024 | Revised Manuscript received on 08 March 2024 | Manuscript Accepted on 15 March 2024 | Manuscript published on 30 March 2024.

References

  • S. Puangpronpitag and N. Sriwiboon, "Simple and Lightweight HTTPS Enforcement to Protect against SSL Striping Attack," 2012 Fourth International Conference on Computational Intelligence, Communication Systems and Networks, Phuket, Thailand, 2012, pp. 229-234, doi: 10.1109/CICSyN.2012.50.
  • Nagendran, K., et al. "Sniffing HTTPS Traffic in LAN by Address Resolution Protocol Poisoning." International Journal of Pure and Applied Mathematics 119.12 (2018): 1187-1195.
  • A. Adithyan, K. Nagendran, R. Chethana, G. Pandy D. and G. Prashanth K., "Reverse Engineering and Backdooring Router Firmwares," 2020 6th International Conference on Advanced Computing and Communication Systems (ICACCS), Coimbatore, India, 2020, pp. 189-193, doi: 10.1109/ICACCS48705.2020.9074317.
  • P. Sirohi, A. Agarwal and S. Tyagi, "A comprehensive study on security attacks on SSL/TLS protocol," 2016 2nd International Conference on Next Generation Computing Technologies (NGCT), Dehradun, India, 2016, pp. 893-898, doi: 10.1109/NGCT.2016.7877537.
  • V. Platenka, A. Mazalek and Z. Vranova, "Attacks on devices using SSL/TLS," 2021 International Conference on Military Technologies (ICMT), Brno, Czech Republic, 2021, pp. 1-6, doi: 10.1109/ICMT52455.2021.9502818.
  • F. Qi, Z. Tang and G. Wang, "Attacks vs. Countermeasures of SSL Protected Trust Model," 2008 The 9th International Conference for Young Computer Scientists, Hunan, China, 2008, pp. 1986-1991, doi: 10.1109/ICYCS.2008.433.
  • G. Rajendran, H. V. Sathyabalu, M. Sachi and V. Devarajan, "Cyber Security in Smart Grid: Challenges and Solutions," 2019 2nd International Conference on Power and Embedded Drive Control (ICPEDC), Chennai, India, 2019, pp. 546-551, doi: 10.1109/ICPEDC47771.2019.9036484
  • P. P. Parthy and G. Rajendran, "Identification and prevention of social engineering attacks on an enterprise," 2019 International Carnahan Conference on Security Technology (ICCST), Chennai, India, 2019, pp. 1-5, doi: 10.1109/CCST.2019.8888441
  • R. Oppliger, R. Hauser and D. Basin, "SSL/TLS Session-Aware User Authentication," in Computer, vol. 41, no. 3, pp. 59-65, March 2008, doi: 10.1109/MC.2008.98.
  • S. Stricot-Tarboton, S. Chaisiri and R. K. L. Ko, "Taxonomy of Manin-the-Middle Attacks on HTTPS," 2016 IEEE Trustcom/Big Data SE/ISPA, Tianjin, China, 2016, pp. 527-534, doi: 10.1109/TrustCom.2016.0106.
  • Implementation of ARP Spoofing for IOT Devices Using Cryptography AES and ECDSA Algorithms. (2019). In International Journal of Recent Technology and Engineering (Vol. 8, Issue 2S11, pp. 2889–2893). https://doi.org/10.35940/ijrte.b1363.0982s1119
  • Prabhakaran, Prof. R., & Asha, Dr. S. (2019). Analysis of Cyber Attacks Vulnerabilities In Electrical Power Systems. In International Journal of Innovative Technology and Exploring Engineering (Vol. 8, Issue 9, pp. 925–928). https://doi.org/10.35940/ijitee.i7848.078919
  • Mathew, A. R. (2019). Cyber-Infrastructure Connections and Smart Gird Security. In International Journal of Engineering and Advanced Technology (Vol. 8, Issue 6, pp. 2285–2287). https://doi.org/10.35940/ijeat.f8681.088619
  • Sharma, T., & Sharma, R. (2024). Smart Grid Monitoring: Enhancing Reliability and Efficiency in Energy Distribution. In Indian Journal of Data Communication and Networking (Vol. 4, Issue 2, pp. 1–4). https://doi.org/10.54105/ijdcn.d7954.04020224
  • Balamurugan, A., R, S. D., J, S., & K, Sivasankari. (2021). Secure Online Transaction using Iris. In Indian Journal of Cryptography and Network Security (Vol. 1, Issue 2, pp. 5–14). https://doi.org/10.54105/ijcns.a1408.111221