Secure inspection of web transactions

    Research output: Contribution to journalArticleScientificpeer-review

    2 Citations (Scopus)

    Abstract

    Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.
    Original languageEnglish
    Pages (from-to)253-271
    Number of pages14
    JournalInternational Journal of Internet Technology and Secured Transactions
    Volume4
    Issue number4
    DOIs
    Publication statusPublished - 2012
    MoE publication typeA1 Journal article-refereed

    Fingerprint

    HTML
    Mobile phones
    Inspection
    Malware

    Keywords

    • WWW
    • internet
    • secure transactions
    • banking
    • authentication
    • weak certification
    • interceptor
    • man-in-the-browser
    • web transactions
    • transaction security
    • HTTPS traffic interception
    • interception control
    • embedded systems
    • HTML documents
    • root certifiers
    • malware
    • USB devices
    • mobile phones
    • cell phones
    • financial transactions

    Cite this

    @article{aa4a9915b72946a981e3571236553d0b,
    title = "Secure inspection of web transactions",
    abstract = "Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.",
    keywords = "WWW, internet, secure transactions, banking, authentication, weak certification, interceptor, man-in-the-browser, web transactions, transaction security, HTTPS traffic interception, interception control, embedded systems, HTML documents, root certifiers, malware, USB devices, mobile phones, cell phones, financial transactions",
    author = "Mika Rautila and Jani Suomalainen",
    note = "Project code: 75161",
    year = "2012",
    doi = "10.1504/IJITST.2012.054058",
    language = "English",
    volume = "4",
    pages = "253--271",
    journal = "International Journal of Internet Technology and Secured Transactions",
    issn = "1748-569X",
    publisher = "Inderscience Publishers",
    number = "4",

    }

    Secure inspection of web transactions. / Rautila, Mika; Suomalainen, Jani.

    In: International Journal of Internet Technology and Secured Transactions, Vol. 4, No. 4, 2012, p. 253-271.

    Research output: Contribution to journalArticleScientificpeer-review

    TY - JOUR

    T1 - Secure inspection of web transactions

    AU - Rautila, Mika

    AU - Suomalainen, Jani

    N1 - Project code: 75161

    PY - 2012

    Y1 - 2012

    N2 - Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.

    AB - Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.

    KW - WWW

    KW - internet

    KW - secure transactions

    KW - banking

    KW - authentication

    KW - weak certification

    KW - interceptor

    KW - man-in-the-browser

    KW - web transactions

    KW - transaction security

    KW - HTTPS traffic interception

    KW - interception control

    KW - embedded systems

    KW - HTML documents

    KW - root certifiers

    KW - malware

    KW - USB devices

    KW - mobile phones

    KW - cell phones

    KW - financial transactions

    U2 - 10.1504/IJITST.2012.054058

    DO - 10.1504/IJITST.2012.054058

    M3 - Article

    VL - 4

    SP - 253

    EP - 271

    JO - International Journal of Internet Technology and Secured Transactions

    JF - International Journal of Internet Technology and Secured Transactions

    SN - 1748-569X

    IS - 4

    ER -