Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection Read chapter Read first chapter

2015 | OriginalPaper | Chapter

A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites

Authors : Ping Chen, Nick Nikiforakis, Christophe Huygens, Lieven Desmet

Published in: Information Security

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

In this paper, we investigate the current state of practice about mixed-content websites, websites that are accessed using the HTTPS protocol, yet include some additional resources using HTTP. Through a large-scale experiment, we show that about half of the Internet’s most popular websites are currently using this practice and are thus vulnerable to a wide range of attacks, including the stealing of cookies and the injection of malicious JavaScript in the context of the vulnerable websites. Additionally, we investigate the default behavior of browsers on mobile devices and show that most of them, by default, allow the rendering of mixed content, which demonstrates that hundreds of thousands of mobile users are currently vulnerable to MITM attacks.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter DroidTest: Testing Android Applications for Leakage of Private Information
next chapter An Ordered Multisignature Scheme Under the CDH Assumption Without Random Oracles
Footnotes
1
Safari and Opera each owns 8.39 % and 1.03 % market share respectively, according to the statistics of usage share of desktop browsers for June 2013 from StatCounter [6].
 
Literature
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Al Fardan, N.J., Paterson, K.G.: Lucky Thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 526–540 (2013)
11.
Amrutkar, C., Traynor, P., van Oorschot, P.C.: Measuring SSL indicators on mobile browsers: extended life, or end of the road? In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 86–103. Springer, Heidelberg (2012) CrossRef
12.
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York, NY, USA (2008)
13.
Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 511–525 (2013)
14.
Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 760–771. ACM, New York, NY, USA (2012)
15.
Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS), IETF RFC (2012)
16.
Marlinspike, M.: New Tricks for Defeating SSL in Practice, Blackhat (2009)
17.
18.
Nikiforakis, N., Invernizzi, L., Kapravelos, A., van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 736–747. ACM, New York, NY, USA (2012)
19.
Rizzo, J., Duong, T.: Crime: Compression ratio info-leak made easy. In: ekoparty Security Conference (2012)
20.
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 921–930. ACM, New York, NY, USA (2010)
21.
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying Wolf: an empirical study of SSL warning effectiveness. In: Proceedings of the 18th Usenix Security Symposium, pp. 399–416 (2009)
Metadata
Title
A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites
Authors
Ping Chen
Nick Nikiforakis
Christophe Huygens
Lieven Desmet
Copyright Year
2015
Book
Information Security

Print ISBN: 978-3-319-27658-8

Electronic ISBN: 978-3-319-27659-5

Copyright Year: 2015

DOI
https://doi.org/10.1007/978-3-319-27659-5_25

Premium Partner

    Image Credits