Paper 2019/1099

On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name

Eman Salem Alashwali and Kasper Rasmussen

Abstract

Most modern web browsers today sacrifice optimal TLS security for backward compatibility. They apply coarse-grained TLS configurations that support (by default) legacy versions of the protocol that have known design weaknesses, and weak ciphersuites that provide fewer security guarantees (e.g. non Forward Secrecy), and silently fall back to them if the server selects to. This introduces various risks including downgrade attacks such as the POODLE attack that exploits the browsers silent fallback mechanism to downgrade the protocol version in order to exploit the legacy version flaws. To achieve a better balance between security and backward compatibility, we propose a mechanism for fine-grained TLS configurations in web browsers based on the sensitivity of the domain name in the HTTPS request using a white listing technique. That is, the browser enforces optimal TLS configurations for connections going to sensitive domains while enforcing default configurations for the rest of the connections. We demonstrate the feasibility of our proposal by implementing a proof-of-concept as a Firefox browser extension. We envision this mechanism as a built-in security feature in web browsers, e.g. a button similar to the “Bookmark” button in Firefox browsers and as a standardised HTTP header, to augment browsers security.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. SecureComm 2018
Keywords
SSLTLSdowngradebrowsersecurity
Contact author(s)
eman alashwali @ gmail com
History
2019-09-29: received
Short URL
https://ia.cr/2019/1099
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/1099,
      author = {Eman Salem Alashwali and Kasper Rasmussen},
      title = {On the Feasibility of Fine-Grained {TLS} Security Configurations in Web Browsers Based on the Requested Domain Name},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/1099},
      year = {2019},
      url = {https://eprint.iacr.org/2019/1099}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.