Man-in-the-Middle Attack to the HTTPS Protocol

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Franco Callegati Articles by Walter Cerroni Articles by Marco Ramilli

January/February 2009 (vol. 7 no. 1)

pp. 78-81

	ASCII Text	x
	Franco Callegati, Walter Cerroni, Marco Ramilli, "Man-in-the-Middle Attack to the HTTPS Protocol," IEEE Security and Privacy, vol. 7, no. 1, pp. 78-81, January/February, 2009.

	BibTex	x
	@article{ 10.1109/MSP.2009.12, author = {Franco Callegati and Walter Cerroni and Marco Ramilli}, title = {Man-in-the-Middle Attack to the HTTPS Protocol}, journal ={IEEE Security and Privacy}, volume = {7}, number = {1}, issn = {1540-7993}, year = {2009}, pages = {78-81}, doi = {http://doi.ieeecomputersociety.org/10.1109/MSP.2009.12}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Security and Privacy TI - Man-in-the-Middle Attack to the HTTPS Protocol IS - 1 SN - 1540-7993 SP78 EP81 EPD - 78-81 A1 - Franco Callegati, A1 - Walter Cerroni, A1 - Marco Ramilli, PY - 2009 KW - WEB security KW - HTTPS KW - self-signed certificate KW - ARP poisoning KW - DNS spoofing KW - man in the middle KW - MITM KW - Address Resolution Protocol KW - Domain Name System VL - 7 JA - IEEE Security and Privacy ER -

Franco Callegati, University of Bologna

Walter Cerroni, University of Bologna

Marco Ramilli, University of Bologna

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.12

As defenders, it is extremely dangerous to be ignorant of how attackers can disrupt our systems. Without a good understanding of the relative ease of certain attacks, it's easy to adopt poor policies and procedures. A good example of this is the tendency for some organizations to use invalid or "self-signed" certifications for SSL, an approach that both trains the user to ignore certificate warnings displayed by the browser and leaves connections vulnerable to man in the middle attacks. In this article, we illustrate how easy such attacks are to execute; we hope this will serve as an incentive to adopt defenses that not only seem secure, but actually are!

1. 78 E. Rescorla, HTTP Over TLS, IETF RFC 2818, 2000; www.ietf.org/rfcrfc2818.txt.2. T. Dierks and C. Allen, The TLS Protocol, IETF RFC 2246, 1999; www.ietf.org/rfcrfc2246.txt.3. H. Xia and J.C. Brustoloni, "Hardening Web Browsers against Man-in-the-Middle and Eavesdropping Attacks," Proc. 14th Int'l Conf. World Wide Web (IW3C2), ACM Press, 2005, pp. 489–498.4. D.C. Plummer, An Ethernet Address Resolution Protocol, IETF RFC 826, 1982; www.ietf.org/rfcrfc826.txt.5. US Federal Bureau of Investigation Nat'l Press Office, "Web 'Spoofing' Scams Are a Growing Problem," press release, 21 July 2003; www.fbi.gov/pressrel/pressrel03spoofing072103.htm.

Index Terms:

WEB security, HTTPS, self-signed certificate, ARP poisoning, DNS spoofing, man in the middle, MITM, Address Resolution Protocol, Domain Name System

Citation:

Franco Callegati, Walter Cerroni, Marco Ramilli, "Man-in-the-Middle Attack to the HTTPS Protocol," IEEE Security and Privacy, vol. 7, no. 1, pp. 78-81, Jan./Feb. 2009, doi:10.1109/MSP.2009.12

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.