This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Man-in-the-Middle Attack to the HTTPS Protocol
January/February 2009 (vol. 7 no. 1)
pp. 78-81
Franco Callegati, University of Bologna
Walter Cerroni, University of Bologna
Marco Ramilli, University of Bologna
As defenders, it is extremely dangerous to be ignorant of how attackers can disrupt our systems. Without a good understanding of the relative ease of certain attacks, it's easy to adopt poor policies and procedures. A good example of this is the tendency for some organizations to use invalid or "self-signed" certifications for SSL, an approach that both trains the user to ignore certificate warnings displayed by the browser and leaves connections vulnerable to man in the middle attacks. In this article, we illustrate how easy such attacks are to execute; we hope this will serve as an incentive to adopt defenses that not only seem secure, but actually are!

1. E. Rescorla, HTTP Over TLS, IETF RFC 2818, 2000; www.ietf.org/rfcrfc2818.txt.
2. T. Dierks and C. Allen, The TLS Protocol, IETF RFC 2246, 1999; www.ietf.org/rfcrfc2246.txt.
3. H. Xia and J.C. Brustoloni, "Hardening Web Browsers against Man-in-the-Middle and Eavesdropping Attacks," Proc. 14th Int'l Conf. World Wide Web (IW3C2), ACM Press, 2005, pp. 489–498.
4. D.C. Plummer, An Ethernet Address Resolution Protocol, IETF RFC 826, 1982; www.ietf.org/rfcrfc826.txt.
5. US Federal Bureau of Investigation Nat'l Press Office, "Web 'Spoofing' Scams Are a Growing Problem," press release, 21 July 2003; www.fbi.gov/pressrel/pressrel03spoofing072103.htm.

Index Terms:
WEB security, HTTPS, self-signed certificate, ARP poisoning, DNS spoofing, man in the middle, MITM, Address Resolution Protocol, Domain Name System
Citation:
Franco Callegati, Walter Cerroni, Marco Ramilli, "Man-in-the-Middle Attack to the HTTPS Protocol," IEEE Security & Privacy, vol. 7, no. 1, pp. 78-81, Jan.-Feb. 2009, doi:10.1109/MSP.2009.12
Usage of this product signifies your acceptance of the Terms of Use.