Truncating TLS Connections to Violate Beliefs in Web Applications - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Rapport (Rapport De Recherche) Année : 2014

Truncating TLS Connections to Violate Beliefs in Web Applications

Résumé

We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts. Update (October 18, 2014). This technical report revisits our earlier work (2013) and shows that Google remain vulnerable to the attacks that we disclosed.
Fichier principal
Vignette du fichier
main-tls-logout.pdf (149.26 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-01102013 , version 1 (12-01-2015)

Identifiants

  • HAL Id : hal-01102013 , version 1

Citer

Ben Smyth, Alfredo Pironti. Truncating TLS Connections to Violate Beliefs in Web Applications. [Research Report] INRIA Paris. 2014. ⟨hal-01102013⟩

Collections

INRIA INRIA2 LARA
8576 Consultations
329 Téléchargements

Partager

Gmail Facebook X LinkedIn More