Please use this identifier to cite or link to this item:
|Title:||Our Man in the Middle: An Investigation of TLS Stripping Attacks and Defenses on the Web|
|Abstract:||This work addresses the viability of man in the middle (MITM) attacks, and stripping attacks in particular, on the web today. First, to present the severity of the threat, a modi ed version on Moxie Marlinspike's sslstrip attack is demonstrated to have the capability to compromise web applications with arbitrary authentication schemes in an automated fashion. Several methods for mitigating the attacks are then discussed in turn. HSTS, the incumbent technology, is found to have numerous de ciencies, the most important of which is its failure to guarantee protection against stripping attacks at all. A new variation on HSTS, called Distributed HSTS, provides the desired security guarantee for all connections involving a valid TLS certi cate. Lastly, another distributed solution called NOSTRIP has the best theoretical properties of the three, ensuring security for all connections between hosts without the need for TLS certi cates. Though these methods may be e ective defenses to stripping attacks, additional MITM vulnerabilities are shown to exist due to the behavior of browsers. Thus, it is concluded that the web is still far from being safe from MITM attacks, and continued research on the topic is called for.|
|Type of Material:||Princeton University Senior Theses|
|Appears in Collections:||Computer Science, 1988-2017|
Files in This Item:
|PUTheses2015-Stedman_Collin.pdf||4.44 MB||Adobe PDF||Request a copy|
Items in Dataspace are protected by copyright, with all rights reserved, unless otherwise indicated.