Web Security

HTTPS is a protocol running on top of HTTP that encrypts traffic.

Key Exchange protocol:

  1. Key exchange
  2. encrypt
  3. HTTP - base layer

HTTPS messages are sent over TLS, but HTTP goes over TCP not TLS .. no encryption, sent over the clear.

Threat Models:

Man in the Middle:

Alice ============Eve===========Bob

Eve can see, interfere, modify, full control of messages sent between Alice and Bob.

Off-Path Attacker:

Attacker is not man in the middle, is remote server connected to the internet. Server cannot see messages or eves, only send them. If system is susceptible to this then system is very vulnerable

On-Path Attacker

The attacker can eavesdrop but not modify or drop Alice to Bob traffic. But because it’s connected to the internet, it can also send messages.

HTTPS Request: What happens when you visit a web page – information is leaked, can be used to fingerprint users. You could find out type of browser, OS, where user came from (referer).

Security Issue: Pixel Tracking: embed small images in page that no human can see, when page loaded browser has to also fetch image without user permissions.

Generally, servers don’t keep state. A server doesn’t know the user from one request to another. But to make things easier, cookies do keep state on the user’s machine. Because cookies contain sensitive information about the user they should not be sent over HTTP.