Secure inspection of web transactions

Mika Rautila; Jani Suomalainen

doi:10.1504/IJITST.2012.054058

Secure inspection of web transactions

Mika Rautila
, Jani Suomalainen

Research output: Contribution to journal › Article › Scientific › peer-review

4 Citations (Scopus)

Abstract

Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.

Original language	English
Pages (from-to)	253-271
Journal	International Journal of Internet Technology and Secured Transactions
Volume	4
Issue number	4
DOIs	https://doi.org/10.1504/IJITST.2012.054058
Publication status	Published - 2012
MoE publication type	A1 Journal article-refereed

Funding

Project code: 75161

Keywords

WWW
internet
secure transactions
banking
authentication
weak certification
interceptor
man-in-the-browser
web transactions
transaction security
HTTPS traffic interception
interception control
embedded systems
HTML documents
root certifiers
malware
USB devices
mobile phones
cell phones
financial transactions

Access to Document

10.1504/IJITST.2012.054058

Cite this

@article{aa4a9915b72946a981e3571236553d0b,

title = "Secure inspection of web transactions",

abstract = "Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.",

keywords = "WWW, internet, secure transactions, banking, authentication, weak certification, interceptor, man-in-the-browser, web transactions, transaction security, HTTPS traffic interception, interception control, embedded systems, HTML documents, root certifiers, malware, USB devices, mobile phones, cell phones, financial transactions",

author = "Mika Rautila and Jani Suomalainen",

year = "2012",

doi = "10.1504/IJITST.2012.054058",

language = "English",

volume = "4",

pages = "253--271",

journal = "International Journal of Internet Technology and Secured Transactions",

issn = "1748-569X",

publisher = "Inderscience Publishers",

number = "4",

}

TY - JOUR

T1 - Secure inspection of web transactions

AU - Rautila, Mika

AU - Suomalainen, Jani

PY - 2012

Y1 - 2012

N2 - Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.

AB - Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.

KW - WWW

KW - internet

KW - secure transactions

KW - banking

KW - authentication

KW - weak certification

KW - interceptor

KW - man-in-the-browser

KW - web transactions

KW - transaction security

KW - HTTPS traffic interception

KW - interception control

KW - embedded systems

KW - HTML documents

KW - root certifiers

KW - malware

KW - USB devices

KW - mobile phones

KW - cell phones

KW - financial transactions

U2 - 10.1504/IJITST.2012.054058

DO - 10.1504/IJITST.2012.054058

M3 - Article

SN - 1748-569X

VL - 4

SP - 253

EP - 271

JO - International Journal of Internet Technology and Secured Transactions

JF - International Journal of Internet Technology and Secured Transactions

IS - 4

ER -

Secure inspection of web transactions

Abstract

Funding

Keywords

Access to Document

Fingerprint

Cite this