dc.description.abstract | As the Internet was initially invented without any security concerns, a way of secure communication over an untrusted network was nowhere to be found. After years of research, the TLS protocol became this Internet
standard for secure end-to-end communication. Today, version 1.2 of TLS is the standard for web security, and the protocol provides authentication and ensures confidentiality and integrity.
However, as TLSv1.2 is the most common form of implementing web application security, new attacks are being discovered continuously in the attempt of breaking the protocol. One of these attacks is the truncation
attack discovered by Smyth and Pironti in 2013. This attack was focused around truncating TLS connections between a user and a web application server. By exploiting application logic flaws found in a
selection of web applications, Smyth and Pironti were able to cast votes on behalf of honest voters in an online voting system, take full control of Hotmail accounts, and gain temporary control of Google accounts.
Now, three years later, these attacks have been recreated in this report. By reviewing the sign-out procedures for these applications and reproducing the attacks, it appeared that the application logic flaw still exists in the
online voting system, but the truncation attack is only possible when a user is using certain setups. Particularly, it appears that only certain web browsers allow this sort of attack.
Due to poor handling of TLS termination modes, many modern web browsers are still susceptible to truncation attacks, and it remains up to the individual web developer to thwart these types of attacks by avoiding
application logic flaws that can be exploited. | |