@InProceedings{10.1007/978-3-319-78813-5_25,
author="Li, Xurong
and Wu, Chunming
and Ji, Shouling
and Gu, Qinchen
and Beyah, Raheem",
editor="Lin, Xiaodong
and Ghorbani, Ali
and Ren, Kui
and Zhu, Sencun
and Zhang, Aiqing",
title="HSTS Measurement and an Enhanced Stripping Attack Against HTTPS",
booktitle="Security and Privacy in Communication Networks",
year="2018",
publisher="Springer International Publishing",
address="Cham",
pages="489--509",
abstract="HTTPS has played a significant role in the Internet world. HSTS is deployed to ensure the proper running of HTTPS. To get a good understanding of the deployment of HSTS, we conducted an in-depth measurement of the deployment of HSTS among Alexa top 1 million sites, and investigated bookmarks and navigation panels in different browsers. We found five types of threats, including transmission errors, redirection errors, field setting errors, the auto completion mechanism in bookmarks and the embedded addresses in navigation panels. To demonstrate defects we found, we designed an enhanced HTTPS stripping attack, which was upgraded from the original sslstrip attack. Finally, we gave three effective suggestions to eliminate these defects. This paper exposed various risks of HTTPS and HSTS, making it possible to deploy HTTPS and HSTS in a more secure way.",
isbn="978-3-319-78813-5"
}