Abstract
Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.
Original language | English |
---|---|
Pages (from-to) | 253-271 |
Journal | International Journal of Internet Technology and Secured Transactions |
Volume | 4 |
Issue number | 4 |
DOIs | |
Publication status | Published - 2012 |
MoE publication type | A1 Journal article-refereed |
Keywords
- WWW
- internet
- secure transactions
- banking
- authentication
- weak certification
- interceptor
- man-in-the-browser
- web transactions
- transaction security
- HTTPS traffic interception
- interception control
- embedded systems
- HTML documents
- root certifiers
- malware
- USB devices
- mobile phones
- cell phones
- financial transactions