Paper 2020/079

Exploring HTTPS Security Inconsistencies: A Cross-Regional Perspective

Eman Salem Alashwali, Pawel Szalachowski, and Andrew Martin

Abstract

If two or more identical HTTPS clients, located at different geographic locations (regions), make an HTTPS request to the same domain (e.g. example.com), on the same day, will they receive the same HTTPS security guarantees in response? Our results give evidence that this is not always the case. We conduct scans for the top 250000 most visited domains on the Internet, from clients located at five different regions: Australia, Brazil, India, the UK, and the US. Our scans gather data from both application (URLs and HTTP headers) and transport (servers' selected TLS version, ciphersuite, and certificate) layers. Overall, we find that HTTPS inconsistencies at the application layer are higher than those at the transport layer. We also find that HTTPS security inconsistencies are strongly related to URLs and IPs diversity among regions, and to a lesser extent to the presence of redirections. Further manual inspection shows that there are several reasons behind URLs diversity among regions such as downgrading to the plain-HTTP protocol, using different subdomains, different TLDs, or different home page documents. Furthermore, we find that downgrading to plain-HTTP is related to websites' regional blocking. We also provide attack scenarios that show how an attacker can benefit from HTTPS security inconsistencies, and introduce a new attack scenario which we call the "region confusion" attack. Finally, based on our observations, we draw some recommendations including the need for testing tools for domain administrators and users that help to mitigate and detect regional domains' inconsistencies, standardising regional domains format with the same-origin policy (of domains) in mind, standardising secure URL redirections, and avoid redirections whenever possible.

Note: Minor corrections in the presentation and format. This copy is compatible with the published version at the Computers & Security journal.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. MINOR revision.Computers & Security, vol. 97, October 2020, 101975
Keywords
InternetsecurityTLSSSLprotocolmeasurementhttpsconfigurationconsistencyattackapplicationtransport.
Contact author(s)
eman alashwali @ gmail com
History
2020-11-20: revised
2020-01-26: received
See all versions
Short URL
https://ia.cr/2020/079
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2020/079,
      author = {Eman Salem Alashwali and Pawel Szalachowski and Andrew Martin},
      title = {Exploring HTTPS Security Inconsistencies: A Cross-Regional Perspective},
      howpublished = {Cryptology ePrint Archive, Paper 2020/079},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/079}},
      url = {https://eprint.iacr.org/2020/079}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.