Abstract
In this paper, we investigate the current state of practice about mixed-content websites, websites that are accessed using the HTTPS protocol, yet include some additional resources using HTTP. Through a large-scale experiment, we show that about half of the Internet’s most popular websites are currently using this practice and are thus vulnerable to a wide range of attacks, including the stealing of cookies and the injection of malicious JavaScript in the context of the vulnerable websites. Additionally, we investigate the default behavior of browsers on mobile devices and show that most of them, by default, allow the rendering of mixed content, which demonstrates that hundreds of thousands of mobile users are currently vulnerable to MITM attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Safari and Opera each owns 8.39 % and 1.03 % market share respectively, according to the statistics of usage share of desktop browsers for June 2013 from StatCounter [6].
References
Add support for Mixed Content Blocking - Android. https://bugzilla.mozilla.org/show_bug.cgi?id=860581
BeEF - The Browser Exploitation Framework Project. http://beefproject.com/
Bing Search API. http://datamarket.azure.com/dataset/bing/search
“Only secure content is displayed” notification in internet explorer 9 or later. http://support.microsoft.com/kb/2625928
StatCounter. http://statcounter.com/
Internet Explorer 8 Mixed Content Handling (2009). http://msdn.microsoft.com/en-us/library/ee264315(v=vs.85).aspx
Ending mixed scripting vulnerabilities (2012). http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html
Mixed content blocking enabled in firefox 23! (2013). https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
Al Fardan, N.J., Paterson, K.G.: Lucky Thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 526–540 (2013)
Amrutkar, C., Traynor, P., van Oorschot, P.C.: Measuring SSL indicators on mobile browsers: extended life, or end of the road? In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 86–103. Springer, Heidelberg (2012)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York, NY, USA (2008)
Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy, SP 2013, pp. 511–525 (2013)
Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 760–771. ACM, New York, NY, USA (2012)
Hodges, J., Jackson, C., Barth, A.: HTTP strict transport security (HSTS), IETF RFC (2012)
Marlinspike, M.: New Tricks for Defeating SSL in Practice, Blackhat (2009)
McAfee. TrustedSource Web Database. https://www.trustedsource.org/en/feedback/url
Nikiforakis, N., Invernizzi, L., Kapravelos, A., van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 736–747. ACM, New York, NY, USA (2012)
Rizzo, J., Duong, T.: Crime: Compression ratio info-leak made easy. In: ekoparty Security Conference (2012)
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 921–930. ACM, New York, NY, USA (2010)
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying Wolf: an empirical study of SSL warning effectiveness. In: Proceedings of the 18th Usenix Security Symposium, pp. 399–416 (2009)
Acknowledgements
This research is partially funded by the Research Fund KU Leuven, iMinds, IWT, and by the EU FP7 projects WebSand, NESSoS and STREWS. With the financial support from the Prevention of and Fight against Crime Programme of the European Union (B-CCENTRE).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Chen, P., Nikiforakis, N., Huygens, C., Desmet, L. (2015). A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites. In: Desmedt, Y. (eds) Information Security. Lecture Notes in Computer Science(), vol 7807. Springer, Cham. https://doi.org/10.1007/978-3-319-27659-5_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-27659-5_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27658-8
Online ISBN: 978-3-319-27659-5
eBook Packages: Computer ScienceComputer Science (R0)