Skip to Main content Skip to Navigation
New interface
Reports (Research report)

Truncating TLS Connections to Violate Beliefs in Web Applications

Abstract : We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts. Update (October 18, 2014). This technical report revisits our earlier work (2013) and shows that Google remain vulnerable to the attacks that we disclosed.
Document type :
Reports (Research report)
Complete list of metadata

Cited literature [21 references]  Display  Hide  Download
Contributor : Ben Smyth Connect in order to contact the contributor
Submitted on : Monday, January 12, 2015 - 7:29:16 PM
Last modification on : Wednesday, October 26, 2022 - 8:14:42 AM
Long-term archiving on: : Monday, April 13, 2015 - 10:26:46 AM


Files produced by the author(s)


  • HAL Id : hal-01102013, version 1



Ben Smyth, Alfredo Pironti. Truncating TLS Connections to Violate Beliefs in Web Applications. [Research Report] INRIA Paris. 2014. ⟨hal-01102013⟩



Record views


Files downloads