HTTPAS: Active Authentication against HTTPS Man-in-the-middle Attacks

What is it about?

HTTPS relies on a group of pre-trusted certificate authorities (CAs) for authentication and hence can avoid man-in-the-middle attacks. But unfortunately, this authentication architecture can be completely subverted in case any one (usually the weakest one) of CAs has been compromised. To tackle this critical flaw, pioneer works such as notary-based systems and pre-shared secrets have been proposed. These state-of-the-art techniques can neither seek maximal protection from available CAs nor resist potential man-in-the-middle variants. In this paper, we propose HTTPAS, a newHTTP Active Secure framework that can enhance the HTTPS authentication against man-in-the-middle attacks by actively utilizing available CAs and exploiting Internet path diversity as much as possible. In particular, HTTPAS is designed with four practical solutions, each of which can make a unique trade-off among authentication capability, deployment difficulty and efficiency. We have implemented HTTPAS using the openSSL suite, and also evaluated the implementation through experiments on several public certificate datasets and the Internet. Our results have successfully confirmed the authentication effectiveness of HTTPAS with only a few performance overheads and moderate deployment efforts.

Featured Image