(Un)Safe Browsing

Thomas Gerbet 1 Amrit Kumar 1, 2 Cédric Lauradoux 2
2 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Users often accidentally or inadvertently click ma- licious phishing or malware website links, and in doing so they sacrifice secret information and sometimes even fully compromise their devices. These URLs are intelligently scripted to remain inconspicuous over the Internet. In light of the ever increasing number of such URLs, new ingenious strategies have been in- vented to detect them and inform the end user when he is tempted to access such a link. The Safe Browsing technique provides an exemplary service to identify unsafe websites and notify users and webmasters allowing them to protect themselves from harm. In this work, we show how to turn Google Safe Browsing services against itself and its users. We propose several Distributed Denial- of-Service attacks that simultaneously affect both the Google Safe Browsing server and the end user. Our attacks leverage on the false positive probability of the data structures used for malicious URL detection. This probability exists because a trade- off was made between Google's server load and client's memory consumption. Our attack is based on the forgery of malicious URLs to increase the false positive probability. Finally we show how Bloom filter combined with universal hash functions and prefix lengthening can fix the problem.
Type de document :
Rapport
[Research Report] RR-8594, INRIA. 2014
Liste complète des métadonnées

https://hal.inria.fr/hal-01064822
Contributeur : Cédric Lauradoux <>
Soumis le : lundi 22 septembre 2014 - 09:22:11
Dernière modification le : samedi 27 octobre 2018 - 01:20:03
Document(s) archivé(s) le : vendredi 14 avril 2017 - 15:52:07

Fichier

rr8594.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-01064822, version 2

Collections

Citation

Thomas Gerbet, Amrit Kumar, Cédric Lauradoux. (Un)Safe Browsing. [Research Report] RR-8594, INRIA. 2014. 〈hal-01064822v2〉

Partager

Métriques

Consultations de la notice

445

Téléchargements de fichiers

621