© The Institution of Engineering and Technology
With the increase in the number of threats within web-based systems, a more integrated approach is required to ensure the enforcement of security policies from the server to the client. These policies aim to stop man-in-the-middle attacks, code injection, and so on. This study analyses some of the newest security options used within HTTP responses, and scans the Alexa Top 1 Million sites for their implementation within HTTP responses. These options scanned for include: content security policy, public key pinning extension for HTTP, HTTP strict transport security, and HTTP header field X-frame-options, in order to understand the impact that these options have on the most popular websites. The results show that, while the implementation of the parameters is increasing, it is still not implemented on many of the top sites. Along with this, the study shows the profile of adoption of Let's Encrypt digital certificates across the one million sites, along with a way of assessing the quality of the security headers.
References
-
-
1)
-
26. Pries, R., Magyari, Z., Tran-Gia, P.: ‘An HTTP web traffic model based on the top one million visited web pages’. 8th EURO-NF Conf. on Next Generation Internet, NGI 2012 – Proc., 2012, pp. 133–139.
-
2)
-
4. Mockapetris, P.: ‘Domain names – implementation and specification [Internet]’. , 1987, pp. 1–55. .
-
3)
-
30. Bradbury, D.: ‘Digital certificates: worth the paper they're written on?’, Comput. Fraud Secur., 2012, 2012, (10), pp. 12–16.
-
4)
-
11. Calzarossa, M.C., Massari, L.: ‘Analysis of header usage patterns of HTTP request messages’. Proc. – 16th IEEE Int. Conf. on High Performance Computing and Communications, HPCC 2014, 11th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2014 and 6th Int. Symp. on Cyberspace Safety and Security, 2014, pp. 847–853.
-
5)
-
28. Devi, G., Bal, R.S., Priyadarsini Sahoo, P.: ‘Threats indentification in web application’, J. Netw. Commun. Emerg. Technol., 2016, 6, (6), pp. 4557–4573.
-
6)
-
37. Kranch, M., Bonneau, J.: ‘Upgrading HTTPS in Mid-Air: an empirical study of strict transport security and Key pinning’. .
-
7)
-
9. Gondrom, T.: ‘’, IETF Standard, 2013. .
-
8)
-
29. Ying, M., Li, S.Q.: ‘CSP adoption: current status and future prospects. secur commun networks [Internet]’. .
-
9)
-
25. Chen, P.: ‘Longitudinal study of the use of client-side security mechanisms on the European Web’. .
-
10)
-
20. Yusof, I., Pathan, A.S.K.: ‘Mitigating cross-site scripting attacks with a content security policy’, Computer (Long Beach Calif.), 2016, 49, (3), pp. 56–63.
-
11)
-
1. Fielding, R., Gettys, J., Mogul, J., et al: , 1999, no. 2616, pp. 1–114. .
-
12)
-
17. Owasp: ‘OWASP risk rating methodology [Internet]’. . 2013, pp. 1–5. .
-
13)
-
16. Owasp: ‘OWASP top 10 – 2013 [Internet]’. .
-
14)
-
10. Hodson, H.: ‘A little privacy, please’. , 2014, vol. 224, no. 2997, p. 24. .
-
15)
-
33. Leyden, J.: ‘Inside ‘Operation black tulip’: digiNotar hack analysed [Internet]’. . 2011. .
-
16)
-
21. Yusof, I., Pathan, A.S.K: ‘Preventing persistent cross-Site scripting (XSS) attack by applying pattern filtering approach’. 2014 the 5th Int. Conf. on Information and Communication Technology for the Muslim World, ICT4M 2014, 2014.
-
17)
-
5. Rescorla, E.: ‘RFC 2818 – HTTP over TLS’. , 2000. p. pp. 1–8.
-
18)
-
19. Stamm, S., Sterne, B., Markham, G.: ‘Reining in the web with content security policy’, Proc. 19th Int. Conf. World Wide Web WWW 10 [Internet], 2010, no. 2, p. 921. .
-
19)
-
34. SecurityWeek: ‘StartSSL flaw allowed attackers to obtain SSL cert for any domain|SecurityWeek.Com [Internet]’. .
-
20)
-
24. Van Goethem, T., Chen, P., Nikiforakis, N., et al: ‘Large-scale security analysis of the web: challenges and findings’. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2014, pp. 110–126.
-
21)
-
35. Ristic, I.: ‘Is HTTP public key pinning dead? – network security blog|Qualys, Inc’. .
-
22)
-
22. Johns, M.: ‘Script-templates for the content security policy’, J. Inf. Secur. Appl., 2014, 19, (3), pp. 209–223.
-
23)
-
12. Nurse, J.R.C., Erola, A., Goldsmith, M., et al: ‘Investigating the leakage of sensitive personal and organisational information in email headers’, J. Internet Serv. Inf. Secur. [Internet], 2015, 1, (February), pp. 70–84. .
-
24)
-
14. Mozilla: ‘Content-security-policy – HTTP|MDN [Internet]’. .
-
25)
-
18. Dhobale, D.D., Ghorpade, V.R., Patil, B.S., et al: ‘Steganography by hiding data in TCP/IP headers’. ICACTE 2010 – 2010 3rd Int. Conf. on Advanced Computer Theory and Engineering, Proc., 2010.
-
26)
-
6. Sterne, B., Barth, A.: ‘Content security policy 1.0 [Internet]. W3C. 2012’. .
-
27)
-
3. Postel, J., Reynolds, J.: ‘RFC 959 – file transfer protocol’. , 1985, pp. 1–69. .
-
28)
-
32. Manousis, A., Ragsdale, R., Draffin, B., et al: ‘Shedding light on the adoption of let's encrypt’. , 2016.
-
29)
-
15. Fogie, S., Grossman, J., Hansen, R., et al: , 2007, p. 482. .
-
30)
-
36. de los Santos, S., Torrano, C., Rubio, Y., et al: ‘Implementation state of HSTS and HPKP in both browsers and servers’. Int. Conf. on Cryptology and Network Security, 2016, pp. 192–207.
-
31)
-
13. VanderSloot, B., Amann, J., Bernhard, M., et al: ‘Towards a complete view of the certificate ecosystem’. Proc. of the 2016 ACM on Internet Measurement Conf., 2016, pp. 543–549.
-
32)
-
27. Huang, C., Liu, J., Fang, Y., et al: ‘A study on Web security incidents in China by analyzing vulnerability disclosure platforms’, Comput. Secur., 2016, 58, pp. 47–62.
-
33)
-
23. Weichselbaum, L., Spagnuolo, M., Lekies, S., et al: ‘CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy’. Proc. 23rd ACM Conf. on Computer and Communications Security, Vienna, Austria, 2016.
-
34)
-
2. Klensin, J.: ‘RFC 5321 – simple mail transfer protocol’. , 2008.
-
35)
-
8. Hodges, J., Jackson, C., Barth, A.: . 2012.
-
36)
-
31. Schuster, S., van den Berg, M., Larrucea, X., et al: ‘Mass surveillance and technological policy options: improving security of private communications’, Comput. Stand. Interfaces, 2017, 50, pp. 76–82.
-
37)
-
7. Bash, E.: ‘RFC7469 public key pinning extension for HTTP’. , 2015, vol. 1, pp. 1–28.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2016.0621
Related content
content/journals/10.1049/iet-ifs.2016.0621
pub_keyword,iet_inspecKeyword,pub_concept
6
6