Show simple item record

dc.contributor.authorAlashwali, ES
dc.contributor.authorSzalachowski, P
dc.contributor.authorMartin, A
dc.date.accessioned2021-02-16T04:54:27Z
dc.date.available2021-02-16T04:54:27Z
dc.date.issued2020
dc.identifier.issn0167-4048
dc.identifier.doi10.1016/j.cose.2020.101975
dc.identifier.urihttp://hdl.handle.net/10072/402220
dc.description.abstractIf two or more identical HTTPS clients, located at different geographic locations (regions), make an HTTPS request to the same domain (e.g. example.com), on the same day, will they receive the same HTTPS security guarantees in response? Our results give evidence that this is not always the case. We conduct scans for the top 250000 most visited domains on the Internet, from clients located at five different regions: Australia, Brazil, India, the UK, and the US. Our scans gather data from both application (URLs and HTTP headers) and transport (servers’ selected TLS version, ciphersuite, and certificate) layers. Overall, we find that HTTPS inconsistencies at the application layer are higher than those at the transport layer. We also find that HTTPS security inconsistencies are strongly related to URLs and IPs diversity among regions, and to a lesser extent to the presence of redirections. Further manual inspection shows that there are several reasons behind URLs diversity among regions such as downgrading to the plain-HTTP protocol, using different subdomains, different TLDs, or different home page documents. Furthermore, we find that downgrading to plain-HTTP is related to websites’ regional blocking. We also provide attack scenarios that show how an attacker can benefit from HTTPS security inconsistencies, and introduce a new attack scenario which we call the “region confusion” attack. Finally, based on our analysis and observations, we provide discussion, which include some recommendations such as the need for testing tools for domain administrators and users that help to mitigate and detect regional domains’ inconsistencies, standardising regional domains format with the same-origin policy (of domains) in mind, standardising secure URL redirections, and avoid redirections whenever possible.
dc.description.peerreviewedYes
dc.languageen
dc.publisherElsevier BV
dc.relation.ispartofpagefrom101975
dc.relation.ispartofjournalComputers & Security
dc.relation.ispartofvolume97
dc.subject.fieldofresearchInformation and Computing Sciences
dc.subject.fieldofresearchcode08
dc.titleExploring HTTPS security inconsistencies: A cross-regional perspective
dc.typeJournal article
dc.type.descriptionC1 - Articles
dcterms.bibliographicCitationAlashwali, ES; Szalachowski, P; Martin, A, Exploring HTTPS security inconsistencies: A cross-regional perspective, Computers & Security, 2020, 97, pp. 101975-101975
dcterms.licensehttp://creativecommons.org/licenses/by-nc-nd/4.0/
dc.date.updated2021-02-16T04:51:45Z
dc.description.versionAccepted Manuscript (AM)
gro.rights.copyright© 2020 Elsevier. Licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Licence (http://creativecommons.org/licenses/by-nc-nd/4.0/) which permits unrestricted, non-commercial use, distribution and reproduction in any medium, providing that the work is properly cited.
gro.hasfulltextFull Text
gro.griffith.authorMartin, Andrew


Files in this item

This item appears in the following Collection(s)

  • Journal articles
    Contains articles published by Griffith authors in scholarly journals.

Show simple item record