Secure inspection of web transactions

Research output: Contribution to journalArticleScientificpeer-review

2 Citations (Scopus)

Abstract

Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.
Original languageEnglish
Pages (from-to)253-271
Number of pages14
JournalInternational Journal of Internet Technology and Secured Transactions
Volume4
Issue number4
DOIs
Publication statusPublished - 2012
MoE publication typeA1 Journal article-refereed

Fingerprint

HTML
Mobile phones
Inspection
Malware

Keywords

  • WWW
  • internet
  • secure transactions
  • banking
  • authentication
  • weak certification
  • interceptor
  • man-in-the-browser
  • web transactions
  • transaction security
  • HTTPS traffic interception
  • interception control
  • embedded systems
  • HTML documents
  • root certifiers
  • malware
  • USB devices
  • mobile phones
  • cell phones
  • financial transactions

Cite this

@article{aa4a9915b72946a981e3571236553d0b,
title = "Secure inspection of web transactions",
abstract = "Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.",
keywords = "WWW, internet, secure transactions, banking, authentication, weak certification, interceptor, man-in-the-browser, web transactions, transaction security, HTTPS traffic interception, interception control, embedded systems, HTML documents, root certifiers, malware, USB devices, mobile phones, cell phones, financial transactions",
author = "Mika Rautila and Jani Suomalainen",
note = "Project code: 75161",
year = "2012",
doi = "10.1504/IJITST.2012.054058",
language = "English",
volume = "4",
pages = "253--271",
journal = "International Journal of Internet Technology and Secured Transactions",
issn = "1748-569X",
publisher = "Inderscience Publishers",
number = "4",

}

Secure inspection of web transactions. / Rautila, Mika; Suomalainen, Jani.

In: International Journal of Internet Technology and Secured Transactions, Vol. 4, No. 4, 2012, p. 253-271.

Research output: Contribution to journalArticleScientificpeer-review

TY - JOUR

T1 - Secure inspection of web transactions

AU - Rautila, Mika

AU - Suomalainen, Jani

N1 - Project code: 75161

PY - 2012

Y1 - 2012

N2 - Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.

AB - Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.

KW - WWW

KW - internet

KW - secure transactions

KW - banking

KW - authentication

KW - weak certification

KW - interceptor

KW - man-in-the-browser

KW - web transactions

KW - transaction security

KW - HTTPS traffic interception

KW - interception control

KW - embedded systems

KW - HTML documents

KW - root certifiers

KW - malware

KW - USB devices

KW - mobile phones

KW - cell phones

KW - financial transactions

U2 - 10.1504/IJITST.2012.054058

DO - 10.1504/IJITST.2012.054058

M3 - Article

VL - 4

SP - 253

EP - 271

JO - International Journal of Internet Technology and Secured Transactions

JF - International Journal of Internet Technology and Secured Transactions

SN - 1748-569X

IS - 4

ER -