Truncating TLS Connections to Violate Beliefs in Web Applications - Inria - Institut national de recherche en sciences et technologies du numérique Access content directly
Conference Papers Year : 2013

Truncating TLS Connections to Violate Beliefs in Web Applications

Ben Smyth
  • Function : Author
Programming securely with cryptography
Alfredo Pironti
  • Function : Author
  • PersonId : 930118
Programming securely with cryptography

Abstract

We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.

Domains

Cryptography and Security [cs.CR]

Ben Smyth  : Connect in order to contact the contributor

https://inria.hal.science/hal-00863371

Submitted on : Wednesday, September 18, 2013-5:36:02 PM

Last modification on : Wednesday, April 6, 2022-3:48:21 PM

No file

Dates and versions

hal-00863371 , version 1 (18-09-2013)

Identifiers

  • HAL Id : hal-00863371 , version 1

Cite

Ben Smyth, Alfredo Pironti. Truncating TLS Connections to Violate Beliefs in Web Applications. WOOT'13: 7th USENIX Workshop on Offensive Technologies, 2013, Washington, United States. ⟨hal-00863371⟩

Export

BibTeX XML-TEI Dublin Core DC Terms EndNote DataCite

Collections

INRIA INRIA2
50 View
0 Download

Share

Gmail Facebook X LinkedIn More