Skip to Main content Skip to Navigation
Conference papers

Web-based Attacks on Host-Proof Encrypted Storage

Abstract : Cloud-based storage services, such as Wuala, and pass- word managers, such as LastPass, are examples of so- called host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing. We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces.
Document type :
Conference papers
Complete list of metadata

Cited literature [10 references]  Display  Hide  Download

https://hal.inria.fr/hal-00863383
Contributor : Ben Smyth <>
Submitted on : Monday, April 4, 2016 - 2:44:55 PM
Last modification on : Wednesday, May 30, 2018 - 10:29:28 AM
Long-term archiving on: : Tuesday, July 5, 2016 - 2:21:52 PM

File

host_proof_woot12.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-00863383, version 1

Collections

Citation

Karthikeyan Bhargavan, Antoine Delignat-Lavaud. Web-based Attacks on Host-Proof Encrypted Storage. 6th USENIX Workshop on Offensive Technologies (WOOT'12), Aug 2012, Bellevue, WA, United States. pp.97--104. ⟨hal-00863383⟩

Share

Metrics

Record views

143

Files downloads

391