Browse > Article

An Effective Protection Mechanism for SSL Man-in-the-Middle Proxy Attacks  

Lim, Cha-Sung (인하대학교 산업공학과)
Lee, Woo-Key (인하대학교 산업공학과)
Jo, Tae-Chang (인하대학교 수학과)
Publication Information
Journal of KIISE:Computing Practices and Letters / v.16, no.6, 2010 , pp. 693-697 More about this Journal
Abstract
In current e-commerce system, it happens that client's confidential information such as credit card numbers, pin numbers, or digital certificate may pass through a web proxy server or an altered proxy server without client's awareness. Even though the confidential information is encrypted and sent through SSL(Secure Sockets Layer) or TLS(Transport Layer Security) protocol, it can be exposed to the risk of sniffing by the digital certificate forgery at the proxy server, which is called the SSL MITM(Man-In-The-Middle) Proxy attack. In this paper, current credit card web-payment systems, which is weak at proxy information alternation attack, are analyzed. A resolution with certificate proxy server is also proposed to prevent the MITM attack.
Keywords
SSL; TLS; MITM; Proxy; HTTPS;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Oppliger, R., Hauser, R., and Basin, D., "SSL/TLS Session-Aware User Authentication," Computer & Communication, vol.41(3), pp.59-65, 2008.
2 Burkholder, P., "SSL Man-in-the-Middle Attacks," SANS Institute, p.15, 2002.
3 Bringer, J., and Chabanne H., "Trusted-HB: A Low-Cost Version of HB Secure Against Man-inthe- Middle Attacks," IEEE Transactions on Information Theory, vol.54(9), pp.4339-4342, 2008.   DOI
4 Klein, A., "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics," Sanctum Inc., p.31, 2004.
5 Liu, A., Yuan, Y., Wijesekera, D., and Stavrou, A., "SQLProb: a Proxy-Based Architecture Towards Preventing SQL Injection Attacks," In Proc. SAC pp.2054-2061, 2009.
6 Oppliger, R., and Gajek, S., "Effective Protection Against Phishing and Web Spoofing," In Proc. CMS, vol.3677, pp.32-41, 2005.
7 Adelsbach, A., and Gajek, S., Schwenk, J., "Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures," In Proc. ISPEC, pp.204-216, 2005.
8 W. Diffie and M.E. Hellman, "New directions in cryptography," IEEE Transactions on Information Theory, vol.22, no.6, pp.644-654, 1976.   DOI
9 Oppliger, R., Hauser, R., and Basin, D., "SSL/TLS Session-Sware User Authentication Revisited," In Proc. COMPSEC, pp.64-70, 2008.
10 Dierks, T., and Rescorla, E., "The TLS Protocol Version 1.1," RFC 4346, 2006.