This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Splitting the HTTPS Stream to Attack Secure Web Connections
November/December 2010 (vol. 8 no. 6)
pp. 80-84
Marco Prandini, University of Bologna
Marco Ramilli, University of Bologna
Walter Cerroni, University of Bologna
Franco Callegati, University of Bologna
The HTTPS protocol is commonly adopted to secure connections to websites, both to guarantee the server's authenticity and to protect the privacy of transmitted data. However, the computational load associated with the protocol's key exchange and encryption/decryption activities isn't negligible. Many trafficked websites must avoid using HTTPS for most of their pages, typically restricting its usage only to encrypting sensitive user data. This article illustrates how this common practice significantly reduces the possibility of detecting manipulations of the data stream by the client, thus exposing the user to potential man-in-the-middle attacks.

1. E. Rescorla, "HTTP Over TLS," IETF RFC 2818, May 2000; http://datatracker.ietf.org/doc/rfc2818/.
2. F. Callegati, W. Cerroni, and M. Ramilli, "Man-in-the-Middle Attack to the HTTPS Protocol," IEEE Security & Privacy, vol. 7, no. 1, 2009, pp. 78–81.
3. H. Xia and J.C. Brustoloni, "Hardening Web Browsers against Man-in-the-Middle and Eavesdropping Attacks," Proc. 14th Intl Conf. World Wide Web, ACM Press, 2005, pp. 489-498.

Index Terms:
HTTPS, password stealing, web security, man-in-the-middle
Citation:
Marco Prandini, Marco Ramilli, Walter Cerroni, Franco Callegati, "Splitting the HTTPS Stream to Attack Secure Web Connections," IEEE Security & Privacy, vol. 8, no. 6, pp. 80-84, Nov.-Dec. 2010, doi:10.1109/MSP.2010.190
Usage of this product signifies your acceptance of the Terms of Use.