access icon free Analysis of the adoption of security headers in HTTP

With the increase in the number of threats within web-based systems, a more integrated approach is required to ensure the enforcement of security policies from the server to the client. These policies aim to stop man-in-the-middle attacks, code injection, and so on. This study analyses some of the newest security options used within HTTP responses, and scans the Alexa Top 1 Million sites for their implementation within HTTP responses. These options scanned for include: content security policy, public key pinning extension for HTTP, HTTP strict transport security, and HTTP header field X-frame-options, in order to understand the impact that these options have on the most popular websites. The results show that, while the implementation of the parameters is increasing, it is still not implemented on many of the top sites. Along with this, the study shows the profile of adoption of Let's Encrypt digital certificates across the one million sites, along with a way of assessing the quality of the security headers.

Inspec keywords: transport protocols; public key cryptography; Web sites; hypermedia

Other keywords: HTTP header field X-frame-options; HTTP responses; Web-based systems; code injection; content security policy; HTTP strict transport security; security policies enforcement; man-in-the-middle attacks; public key pinning extension; Let Encrypt digital certificates; Websites; security header adoption

Subjects: Information networks; Data security

References

    1. 1)
      • 26. Pries, R., Magyari, Z., Tran-Gia, P.: ‘An HTTP web traffic model based on the top one million visited web pages’. 8th EURO-NF Conf. on Next Generation Internet, NGI 2012 – Proc., 2012, pp. 133139.
    2. 2)
      • 4. Mockapetris, P.: ‘Domain names – implementation and specification [Internet]’. Request for Comments, 1987, pp. 155. Available at: https://www.ietf.org/rfc/rfc1035.txt.
    3. 3)
      • 30. Bradbury, D.: ‘Digital certificates: worth the paper they're written on?’, Comput. Fraud Secur., 2012, 2012, (10), pp. 1216.
    4. 4)
      • 11. Calzarossa, M.C., Massari, L.: ‘Analysis of header usage patterns of HTTP request messages’. Proc. – 16th IEEE Int. Conf. on High Performance Computing and Communications, HPCC 2014, 11th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2014 and 6th Int. Symp. on Cyberspace Safety and Security, 2014, pp. 847853.
    5. 5)
      • 28. Devi, G., Bal, R.S., Priyadarsini Sahoo, P.: ‘Threats indentification in web application’, J. Netw. Commun. Emerg. Technol., 2016, 6, (6), pp. 45574573.
    6. 6)
      • 37. Kranch, M., Bonneau, J.: ‘Upgrading HTTPS in Mid-Air: an empirical study of strict transport security and Key pinning’. [cited November 2017]. Available at http://www.jbonneau.com/doc/KB15-NDSS-hsts_pinning_survey.pdf HTTPS in Mid-Air- An Empirical Study of Strict Transport Security and Key Pinning.pdf.
    7. 7)
      • 9. Gondrom, T.: ‘HTTP header field X-frame-options’, IETF Standard, 2013. Available at: https://tools.ietf.org/html/rfc7034.
    8. 8)
      • 29. Ying, M., Li, S.Q.: ‘CSP adoption: current status and future prospects. secur commun networks [Internet]’. 2016 Oct 20 [cited 2016 Nov 15]. Available at http://doi.wiley.com/10.1002/sec.1649.
    9. 9)
      • 25. Chen, P.: ‘Longitudinal study of the use of client-side security mechanisms on the European Web’. [cited 2017 May 26]. Available at http://www2016.net/proceedings/companion/p457.pdf.
    10. 10)
      • 20. Yusof, I., Pathan, A.S.K.: ‘Mitigating cross-site scripting attacks with a content security policy’, Computer (Long Beach Calif.), 2016, 49, (3), pp. 5663.
    11. 11)
      • 1. Fielding, R., Gettys, J., Mogul, J., et al: ‘RFC 2616 – hypertext transfer protocol – HTTP/1.1’. Society [Internet], 1999, no. 2616, pp. 1114. Available at: http://www.ietf.org/rfc/rfc2616.txt.
    12. 12)
      • 17. Owasp: ‘OWASP risk rating methodology [Internet]’. Owasp. 2013, pp. 15. Available at https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.
    13. 13)
      • 16. Owasp: ‘OWASP top 10 – 2013 [Internet]’. OWASP Top 10. 2013. Available at http://owasptop10.googlecode.com/files/OWASPTop10-2013.pdf.
    14. 14)
      • 10. Hodson, H.: ‘A little privacy, please’. New Sci [Internet], 2014, vol. 224, no. 2997, p. 24. Available at: http://www.sciencedirect.com/science/article/pii/S0262407914622843.
    15. 15)
      • 33. Leyden, J.: ‘Inside ‘Operation black tulip’: digiNotar hack analysed [Internet]’. The Register. 2011. Available at http://www.theregister.co.uk/2011/09/06/diginotar_audit_damning_fail/.
    16. 16)
      • 21. Yusof, I., Pathan, A.S.K: ‘Preventing persistent cross-Site scripting (XSS) attack by applying pattern filtering approach’. 2014 the 5th Int. Conf. on Information and Communication Technology for the Muslim World, ICT4M 2014, 2014.
    17. 17)
      • 5. Rescorla, E.: ‘RFC 2818 – HTTP over TLS’. Network Working Group, IETF, 2000. p. pp. 18.
    18. 18)
      • 19. Stamm, S., Sterne, B., Markham, G.: ‘Reining in the web with content security policy’, Proc. 19th Int. Conf. World Wide Web WWW 10 [Internet], 2010, no. 2, p. 921. Available at http://portal.acm.org/citation.cfm?doid=1772690.1772784.
    19. 19)
      • 34. SecurityWeek: ‘StartSSL flaw allowed attackers to obtain SSL cert for any domain|SecurityWeek.Com [Internet]’. Available at http://www.securityweek.com/startssl-flaw-allowed-attackers-obtain-ssl-cert-any-domain.
    20. 20)
      • 24. Van Goethem, T., Chen, P., Nikiforakis, N., et al: ‘Large-scale security analysis of the web: challenges and findings’. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2014, pp. 110126.
    21. 21)
      • 35. Ristic, I.: ‘Is HTTP public key pinning dead? – network security blog|Qualys, Inc’. [Internet]. Available at https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead.
    22. 22)
      • 22. Johns, M.: ‘Script-templates for the content security policy’, J. Inf. Secur. Appl., 2014, 19, (3), pp. 209223.
    23. 23)
      • 12. Nurse, J.R.C., Erola, A., Goldsmith, M., et al: ‘Investigating the leakage of sensitive personal and organisational information in email headers’, J. Internet Serv. Inf. Secur. [Internet], 2015, 1, (February), pp. 7084. Available at: https://www.cs.ox.ac.uk/files/7181/jisis2015_nurse_et_al.pdf.
    24. 24)
      • 14. Mozilla: ‘Content-security-policy – HTTP|MDN [Internet]’. Available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.
    25. 25)
      • 18. Dhobale, D.D., Ghorpade, V.R., Patil, B.S., et al: ‘Steganography by hiding data in TCP/IP headers’. ICACTE 2010 – 2010 3rd Int. Conf. on Advanced Computer Theory and Engineering, Proc., 2010.
    26. 26)
      • 6. Sterne, B., Barth, A.: ‘Content security policy 1.0 [Internet]. W3C. 2012’. Available at http://www.w3.org/TR/CSP/.
    27. 27)
      • 3. Postel, J., Reynolds, J.: ‘RFC 959 – file transfer protocol’. Rfc 959 [Internet], 1985, pp. 169. Available at: https://www.ietf.org/rfc/rfc959.txt.
    28. 28)
      • 32. Manousis, A., Ragsdale, R., Draffin, B., et al: ‘Shedding light on the adoption of let's encrypt’. arXiv Prepr arXiv161100469, 2016.
    29. 29)
      • 15. Fogie, S., Grossman, J., Hansen, R., et al: ‘XSS attacks: cross site scripting exploits and defense [internet]’. Management, 2007, p. 482. Available at http://portal.acm.org/citation.cfm?id=1534243.
    30. 30)
      • 36. de los Santos, S., Torrano, C., Rubio, Y., et al: ‘Implementation state of HSTS and HPKP in both browsers and servers’. Int. Conf. on Cryptology and Network Security, 2016, pp. 192207.
    31. 31)
      • 13. VanderSloot, B., Amann, J., Bernhard, M., et al: ‘Towards a complete view of the certificate ecosystem’. Proc. of the 2016 ACM on Internet Measurement Conf., 2016, pp. 543549.
    32. 32)
      • 27. Huang, C., Liu, J., Fang, Y., et al: ‘A study on Web security incidents in China by analyzing vulnerability disclosure platforms’, Comput. Secur., 2016, 58, pp. 4762.
    33. 33)
      • 23. Weichselbaum, L., Spagnuolo, M., Lekies, S., et al: ‘CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy’. Proc. 23rd ACM Conf. on Computer and Communications Security, Vienna, Austria, 2016.
    34. 34)
      • 2. Klensin, J.: ‘RFC 5321 – simple mail transfer protocol’. IETF RFC, 2008.
    35. 35)
      • 8. Hodges, J., Jackson, C., Barth, A.: ‘HTTP strict transport security’. Available at http//tools.ietf.org/html/rfc6797. 2012.
    36. 36)
      • 31. Schuster, S., van den Berg, M., Larrucea, X., et al: ‘Mass surveillance and technological policy options: improving security of private communications’, Comput. Stand. Interfaces, 2017, 50, pp. 7682.
    37. 37)
      • 7. Bash, E.: ‘RFC7469 public key pinning extension for HTTP’. PhD Propos, 2015, vol. 1, pp. 128.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2016.0621
Loading

Related content

content/journals/10.1049/iet-ifs.2016.0621
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading