Prevention Techniques for SSL Hacking Threats to E-Government Services

Year 2018, Volume: 7 Issue: 2, 67 - 77, 01.06.2018

Ahmet Efe Rıdvan Tekdoğan

Abstract

Since security threats increase over time, security of internet commination has to be achieved with cryptography and ciphering techniques. The use of SSL protocols secures our communication between intended hosts and clients. As a legislative requirement it is obligatory for all government organizations and e-government applications to use SSL secure socked layer which ensures encrypted information transmission. Without use of SSL anyone who captures the IP packet can observe the communication since communication channels transmit bare information. Whilst securing the communication preserves secrets, sometimes it threatens business, human rights and government sovereignty. Employees can transfer confidential data to third parties over a secure channel using their credentials and authorized certificates. Therefore to secure business and e-government, decryption of SSL is obligatory to detect malevolent users. Considering the ever widening usage of internet infrastructure for e-government services and e-government applications, securing sensitive and critical information from unauthorized and malicious parties via SSL protocols which are hardened against MITM attacks became a major concern. Furthermore, usage of blockchain technology and increasing volume of cryptocurrencies are some of other issues related to security of assets over internet. In this paper, we have surveyed the SSL hacking methods and prevention techniques to have a clear vision of threats and remedies. Since hacking have several stages from ARP poisoning to fake certificate, prevention techniques are focused on different levels.

Keywords

SSL/TLS, Hacking, MITM, HTTPS, E-Government Security

References

• [1] H. Seung-Woo, et al. "A survey on MITM and its countermeasures in the TLS handshake protocol." Ubiquitous and Future Networks (ICUFN), 2016, Eighth International Conference on. IEEE. 11-12.
• [2] O. Eisen, "Catching the fraudulent Man-in-the-Middle and Man-in-the-Browser." 2010, Network Security.
• [3] T. Chomsiri, "HTTPS Hacking Protection." Advanced Information Networking and Applications Workshops, 2007, AINAW'07. 21st International Conference on. Vol. 1. IEEE.
• [4] N. Seung Yeob, S. Djuraev, and M. Park. "Collaborative approach to mitigating ARP poisoningbased Man-in-the-Middle attacks." Computer Networks 57.18 2013, pp. 3866-3884.
• [5] D. Italo, M. Ahamad, and P. Traynor. "POSTER: Trust No One Else: Detecting MITM Attacks Against SSL/TLS Without Third-Parties." pp 199-216
• [6] L. Wu, et al. "SSL-DP: a rootkit of network based SSL and TLS traffic decryptor." Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second. IEEE.
• [7] D. Jiang, X. Li, and H. Huang. "A study of man-in-themiddle attack based on SSL certificate interaction." Instrumentation, Measurement, Computer, Communication and Control, 2011, First International Conference on IEEE.
• [8] O. Rolf, R. Hauser, and D. Basin. "SSL/TLS sessionaware user authentication–Or how to effectively thwart the man-in-the-middle." Computer Communications 29.12, 2006, 2238-2246.
• [9] O. Rolf, R. Hauser, and D. Basin. "SSL/TLS sessionaware user authentication revisited." Computers & Security 27.3, 2008, 64-70.
• [10]D. Manik Lal, and N. Samdaria. "On the security of SSL/TLS-enabled applications." Applied Computing and informatics 10.1, 2014: 68-81.
• [11]J. Sharp, “Man in the browser attacks: worse than viruses”, 2008, Latest Access Time for the website is 20 June 2018
• [12]Entrust, “Winning the Fight Against Man-in-theBrowser - Entrust IdentityGuard Mobile Now Available” 2010, Newswire
• [13]Intel, “berserk analysis”, 2010, Latest Access Time for the website is 20 June 2018
• [14]P. Mutton, “95% of HTTPS servers vulnerable to trivial MITM attacks” Netcraft, 2016
• [15]P. Sec, “Renegotiation Attack”, 2017 Latest Access Time for the website is 20 June 2018
• [16] Blackhatinside, “How to do arp poisoning / spoofing with Kali Linux 2016.2 | arpspoof | wireshark | steal passwords | sniff packets”
• [17] Oxit, “Cain & Abel” , 2010, Latest Access Time for the website is 20 June 2018
• [18] R. Grimes, “Hacking bitcoin and blockchain”, 2017, Latest Access Time for the website is 20 June 2018
• [19] R. Sharma, “Bitcoin Mining Market Hacked: $70M Stolen from NiceHash”, 2017
• [20] C. Thawatchai. 2007, HTTPS hacking protection. IEEE. 2. 590-594. 10.1109/AINAW.2007.200.
• [21] W. Yang, X. Li, Z. Feng and J. Hao, "TLSsem: A TLS Security-Enhanced Mechanism against MITM Attacks in Public WiFis," 2017 22nd International Conference on Engineering of Complex Computer Systems (ICECCS), Fukuoka, pp. 30-39.doi: 10.1109/ICECCS.2017.24
• [22] C. J. D’Orazio, K. Kwang, R. Choo, “A technique to circumvent SSL/TLS validations on iOS devices”, Future Generation Computer Systems, Volume 74, 2017, Pages 366-374, ISSN 0167-739X
• [23] Arnbak, A & Asghari, Hadi & Eeten, Michel & Eijk, Nico. 2014, Assessing legal and technical solutions to secure HTTPS. 12. 1-15. 10.1145/2668152.2673311.
• [24] L. D. Manik & S. Navkar. “On the security of SSL/TLSenabled applications”. Applied Computing and Informatics. 2014, 10. 10.1016/j.aci.2014 .02.001.
• [25] J. King, K. Lauerman, “ARP Poisoning (Man-in-theMiddle) Attack and Mitigation Techniques”, 2016, A CSSTG SE Residency Program, CISCO White Paper
• [26] R. Leandro, “Chinese government surveillance app is vulnerable to MITM attacks”, 2018, Sidechannell. Latest Access Time for the website is 20 June 2018
• [27] D. Mitropoulos, D. Spinellis “Securing e-voting against MITM attacks”, 2009, 13th Panhellenic Conference on Informatics, Corfu, Greece, September, pp. 1-5
• [28] S. Hidayatullah, “Man in the middle attack prevention strategies” 2018, Computer Weekly, Latest Access Time for the website is 20 June 2018