Truncating TLS Connections to Violate Beliefs in Web Applications

Abstract : We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts. Update (October 18, 2014). This technical report revisits our earlier work (2013) and shows that Google remain vulnerable to the attacks that we disclosed.
Type de document :
Rapport
[Research Report] INRIA Paris. 2014
Liste complète des métadonnées

Littérature citée [21 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01102013
Contributeur : Ben Smyth <>
Soumis le : lundi 12 janvier 2015 - 19:29:16
Dernière modification le : samedi 17 septembre 2016 - 01:33:18
Document(s) archivé(s) le : lundi 13 avril 2015 - 10:26:46

Fichier

main-tls-logout.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-01102013, version 1

Collections

Citation

Ben Smyth, Alfredo Pironti. Truncating TLS Connections to Violate Beliefs in Web Applications. [Research Report] INRIA Paris. 2014. 〈hal-01102013〉

Partager

Métriques

Consultations de la notice

2094

Téléchargements de fichiers

220