Man-in-the-Middle Attack to the HTTPS Protocol

@article{Callegati2009ManintheMiddleAT,
  title={Man-in-the-Middle Attack to the HTTPS Protocol},
  author={Franco Callegati and Walter Cerroni and Marco Ramilli},
  journal={IEEE Security \& Privacy Magazine},
  year={2009},
  volume={7},
  pages={78-81}
}
Web-based applications rely on the HTTPS protocol to guarantee privacy and security in transactions ranging from home banking, e-commerce, and e-procurement to those that deal with sensitive data such as career and identity information. Users trust this protocol to prevent unauthorized viewing of their personal, financial, and confidential information over the Web. 

Figures from this paper

Splitting the HTTPS Stream to Attack Secure Web Connections

This document explains how the HTTPS protocol lets a browser verify a Web server's authenticity and establish an encrypted channel for protecting exchanged data.

Analysis and Research on HTTPS Hijacking Attacks

  • Kefei ChengMeng GaoR. Guo
  • Computer Science
    2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing
  • 2010
Experimental results show that three methods to strengthen data security are effectively defensive against the HTTPS hijacking attacks, which are static ARP table, enhanced certificate system, and two-way authentication.

HTTPAS: active authentication against HTTPS man-in-the-middle attacks

The authors propose HTTPAS, a new HTTP Active Secure framework that can enhance the HTTPS authentication against man-in-the-middle attacks by actively utilising available CAs and exploiting Internet path diversity as much as possible.

Achieving Communication Effectiveness of Web Authentication Protocol with Key Update

A new certification process is designed to make the protocol support key update, thus avoiding the risk of key leaks and improving the efficiency of implementation of SISCA protocol.

Defense against DNS Man-In-The-Middle Spoofing

This paper introduces one type of defense technique based on the main features of DNS response packets that employs Artificial Neural Networks (ANN), which produces excellent performance.

HTTPS: a Phishing Attack in a Network

The possibility of finding phishing attacks even in cases where the victim sees in their web browser, the same URL as the legitimate website with the padlock and the HTTPS certificate, is discussed.

Content-based control of HTTPs mail for implementation of IT-convergence security environment

This paper proposes a method that controls HTTPs web mail contents by using a proxy server and distributing the secure socket layer (SSL) certificate to user’ s PC and plays the Certificate Authority role between the users’ PCs and the web mail server.

Privacy Preservation and Data Security on Internet Using Mutual Ssl

The way toward authenticating and setting up an encrypted channel using certificate-based mutual SSL authentication using Verisign or Microsoft Declaration Server are a critical part of mutual authentication process.

SSL Enhancement

This paper depicts a SSL breach and then provides a solution to nullify it and proposes a technique cum practical solution to strengthen data security by developing mozilla-firefox add-on and servlet code which will strengthen the defense against the https hijacking attacks.

An Approach for Detecting Man-In-The-Middle Attack Using DPI and DFI

All of those man-in-the-middle attacks including, Man-In-The-Middle (MITM) attack, discussed with example and case study.
...

References

Hardening Web browsers against man-in-the-middle and eavesdropping attacks

This work proposes context-sensitive certificate verification (CSCV), whereby the browser interrogates the user about the context in which a certificate verification error occurs, and guides the user in handling and possibly overcoming the security error.