http://iet.metastore.ingenta.com
1887

Analysis of the adoption of security headers in HTTP

Analysis of the adoption of security headers in HTTP

For access to this article, please select a purchase option:

Buy article PDF
£12.50
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Name:*
Email:*
Your details
Name:*
Email:*
Department:*
Why are you recommending this title?
Select reason:
 
 
 
 
 
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

With the increase in the number of threats within web-based systems, a more integrated approach is required to ensure the enforcement of security policies from the server to the client. These policies aim to stop man-in-the-middle attacks, code injection, and so on. This study analyses some of the newest security options used within HTTP responses, and scans the Alexa Top 1 Million sites for their implementation within HTTP responses. These options scanned for include: content security policy, public key pinning extension for HTTP, HTTP strict transport security, and HTTP header field X-frame-options, in order to understand the impact that these options have on the most popular websites. The results show that, while the implementation of the parameters is increasing, it is still not implemented on many of the top sites. Along with this, the study shows the profile of adoption of Let's Encrypt digital certificates across the one million sites, along with a way of assessing the quality of the security headers.

References

    1. 1)
      • 1. Fielding, R., Gettys, J., Mogul, J., et al: ‘RFC 2616 – hypertext transfer protocol – HTTP/1.1’. Society [Internet], 1999, no. 2616, pp. 1114. Available at: http://www.ietf.org/rfc/rfc2616.txt.
    2. 2)
      • 2. Klensin, J.: ‘RFC 5321 – simple mail transfer protocol’. IETF RFC, 2008.
    3. 3)
      • 3. Postel, J., Reynolds, J.: ‘RFC 959 – file transfer protocol’. Rfc 959 [Internet], 1985, pp. 169. Available at: https://www.ietf.org/rfc/rfc959.txt.
    4. 4)
      • 4. Mockapetris, P.: ‘Domain names – implementation and specification [Internet]’. Request for Comments, 1987, pp. 155. Available at: https://www.ietf.org/rfc/rfc1035.txt.
    5. 5)
      • 5. Rescorla, E.: ‘RFC 2818 – HTTP over TLS’. Network Working Group, IETF, 2000. p. pp. 18.
    6. 6)
      • 6. Sterne, B., Barth, A.: ‘Content security policy 1.0 [Internet]. W3C. 2012’. Available at http://www.w3.org/TR/CSP/.
    7. 7)
      • 7. Bash, E.: ‘RFC7469 public key pinning extension for HTTP’. PhD Propos, 2015, vol. 1, pp. 128.
    8. 8)
      • 8. Hodges, J., Jackson, C., Barth, A.: ‘HTTP strict transport security’. Available at http//tools.ietf.org/html/rfc6797. 2012.
    9. 9)
      • 9. Gondrom, T.: ‘HTTP header field X-frame-options’, IETF Standard, 2013. Available at: https://tools.ietf.org/html/rfc7034.
    10. 10)
      • 10. Hodson, H.: ‘A little privacy, please’. New Sci [Internet], 2014, vol. 224, no. 2997, p. 24. Available at: http://www.sciencedirect.com/science/article/pii/S0262407914622843.
    11. 11)
      • 11. Calzarossa, M.C., Massari, L.: ‘Analysis of header usage patterns of HTTP request messages’. Proc. – 16th IEEE Int. Conf. on High Performance Computing and Communications, HPCC 2014, 11th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2014 and 6th Int. Symp. on Cyberspace Safety and Security, 2014, pp. 847853.
    12. 12)
      • 12. Nurse, J.R.C., Erola, A., Goldsmith, M., et al: ‘Investigating the leakage of sensitive personal and organisational information in email headers’, J. Internet Serv. Inf. Secur. [Internet], 2015, 1, (February), pp. 7084. Available at: https://www.cs.ox.ac.uk/files/7181/jisis2015_nurse_et_al.pdf.
    13. 13)
      • 13. VanderSloot, B., Amann, J., Bernhard, M., et al: ‘Towards a complete view of the certificate ecosystem’. Proc. of the 2016 ACM on Internet Measurement Conf., 2016, pp. 543549.
    14. 14)
      • 14. Mozilla: ‘Content-security-policy – HTTP|MDN [Internet]’. Available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.
    15. 15)
      • 15. Fogie, S., Grossman, J., Hansen, R., et al: ‘XSS attacks: cross site scripting exploits and defense [internet]’. Management, 2007, p. 482. Available at http://portal.acm.org/citation.cfm?id=1534243.
    16. 16)
      • 16. Owasp: ‘OWASP top 10 – 2013 [Internet]’. OWASP Top 10. 2013. Available at http://owasptop10.googlecode.com/files/OWASPTop10-2013.pdf.
    17. 17)
      • 17. Owasp: ‘OWASP risk rating methodology [Internet]’. Owasp. 2013, pp. 15. Available at https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.
    18. 18)
      • 18. Dhobale, D.D., Ghorpade, V.R., Patil, B.S., et al: ‘Steganography by hiding data in TCP/IP headers’. ICACTE 2010 – 2010 3rd Int. Conf. on Advanced Computer Theory and Engineering, Proc., 2010.
    19. 19)
      • 19. Stamm, S., Sterne, B., Markham, G.: ‘Reining in the web with content security policy’, Proc. 19th Int. Conf. World Wide Web WWW 10 [Internet], 2010, no. 2, p. 921. Available at http://portal.acm.org/citation.cfm?doid=1772690.1772784.
    20. 20)
      • 20. Yusof, I., Pathan, A.S.K.: ‘Mitigating cross-site scripting attacks with a content security policy’, Computer (Long Beach Calif.), 2016, 49, (3), pp. 5663.
    21. 21)
      • 21. Yusof, I., Pathan, A.S.K: ‘Preventing persistent cross-Site scripting (XSS) attack by applying pattern filtering approach’. 2014 the 5th Int. Conf. on Information and Communication Technology for the Muslim World, ICT4M 2014, 2014.
    22. 22)
      • 22. Johns, M.: ‘Script-templates for the content security policy’, J. Inf. Secur. Appl., 2014, 19, (3), pp. 209223.
    23. 23)
      • 23. Weichselbaum, L., Spagnuolo, M., Lekies, S., et al: ‘CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy’. Proc. 23rd ACM Conf. on Computer and Communications Security, Vienna, Austria, 2016.
    24. 24)
      • 24. Van Goethem, T., Chen, P., Nikiforakis, N., et al: ‘Large-scale security analysis of the web: challenges and findings’. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2014, pp. 110126.
    25. 25)
      • 25. Chen, P.: ‘Longitudinal study of the use of client-side security mechanisms on the European Web’. [cited 2017 May 26]. Available at http://www2016.net/proceedings/companion/p457.pdf.
    26. 26)
      • 26. Pries, R., Magyari, Z., Tran-Gia, P.: ‘An HTTP web traffic model based on the top one million visited web pages’. 8th EURO-NF Conf. on Next Generation Internet, NGI 2012 – Proc., 2012, pp. 133139.
    27. 27)
      • 27. Huang, C., Liu, J., Fang, Y., et al: ‘A study on Web security incidents in China by analyzing vulnerability disclosure platforms’, Comput. Secur., 2016, 58, pp. 4762.
    28. 28)
      • 28. Devi, G., Bal, R.S., Priyadarsini Sahoo, P.: ‘Threats indentification in web application’, J. Netw. Commun. Emerg. Technol., 2016, 6, (6), pp. 45574573.
    29. 29)
      • 29. Ying, M., Li, S.Q.: ‘CSP adoption: current status and future prospects. secur commun networks [Internet]’. 2016 Oct 20 [cited 2016 Nov 15]. Available at http://doi.wiley.com/10.1002/sec.1649.
    30. 30)
      • 30. Bradbury, D.: ‘Digital certificates: worth the paper they're written on?’, Comput. Fraud Secur., 2012, 2012, (10), pp. 1216.
    31. 31)
      • 31. Schuster, S., van den Berg, M., Larrucea, X., et al: ‘Mass surveillance and technological policy options: improving security of private communications’, Comput. Stand. Interfaces, 2017, 50, pp. 7682.
    32. 32)
      • 32. Manousis, A., Ragsdale, R., Draffin, B., et al: ‘Shedding light on the adoption of let's encrypt’. arXiv Prepr arXiv161100469, 2016.
    33. 33)
      • 33. Leyden, J.: ‘Inside ‘Operation black tulip’: digiNotar hack analysed [Internet]’. The Register. 2011. Available at http://www.theregister.co.uk/2011/09/06/diginotar_audit_damning_fail/.
    34. 34)
      • 34. SecurityWeek: ‘StartSSL flaw allowed attackers to obtain SSL cert for any domain|SecurityWeek.Com [Internet]’. Available at http://www.securityweek.com/startssl-flaw-allowed-attackers-obtain-ssl-cert-any-domain.
    35. 35)
      • 35. Ristic, I.: ‘Is HTTP public key pinning dead? – network security blog|Qualys, Inc’. [Internet]. Available at https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead.
    36. 36)
      • 36. de los Santos, S., Torrano, C., Rubio, Y., et al: ‘Implementation state of HSTS and HPKP in both browsers and servers’. Int. Conf. on Cryptology and Network Security, 2016, pp. 192207.
    37. 37)
      • 37. Kranch, M., Bonneau, J.: ‘Upgrading HTTPS in Mid-Air: an empirical study of strict transport security and Key pinning’. [cited November 2017]. Available at http://www.jbonneau.com/doc/KB15-NDSS-hsts_pinning_survey.pdf HTTPS in Mid-Air- An Empirical Study of Strict Transport Security and Key Pinning.pdf.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2016.0621
Loading

Related content

content/journals/10.1049/iet-ifs.2016.0621
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
This is a required field
Please enter a valid email address