SSL stripping attack was one of the most notorious techniques to hack HTTPS websites. So, HTTP Strict Transport Security (HSTS) mechanism had been proposed and deployed to subdue the attack. However, a few recent studies have shown that the old SSL stripping attack could be deployed to effectively attack several on-line banking and e-commerce web sites again even with HSTS configuration. Hence, this paper investigates and analyzes reasons behind the malfunction of HSTS and the return of SSL stripping attacks. To analyze the problem, testbed experiments on 11 Thai online banking, 4 e-commerce websites and 2 volunteer websites, an analysis of HTTP response headers and hacker’s scripts are done. The cause of problems has finally been analyzed and the solutions are suggested.
Keywords
HTTP Strict Transport Security (HSTS) Mechanism; SSL Stripping Attack; Web Security
THE JOURNAL OF KMUTNB
Published by : King Mongkut's University of Technology North Bangkok Contributions welcome at : http://www.journal.kmutnb.ac.th
By using our website, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.