Web Security: HTTP(S)

Web Security
Goals
Safely browse the web

Visit a variety of web sites without incurring harm

Integrity: Site A cannot affect session on Site B

Confidentiality: Site A cannot steal information from

your device or Site B

Availability: Site A and Site B can be accessed

whenever user requires
Attack Models
Malicious Website Malicious External Resource

Network Attacker Malware Attacker

 Basic structure of web traffic
Client

HTTP
Browser Web server

HyperText Transfer Protocol

(HTTP)
An “application-layer” protocol for exchanging
collections of data
Interacting with web servers
resources are identified by a URL

[Link]
Interacting with web servers
resources are identified by a URL

[Link]

Protocol ftp https tor

Interacting with web servers
resources are identified by a URL

[Link]

Hostname/server
Translated to an IP address by DNS (more on this
later)
Interacting with web servers
resources are identified by a URL

[Link]

Path to a resource
Here, the file [Link] is static content i.e., a fixed file
returned by the server

[Link] Arguments
?f=joe123&w=16
[Link] generates dynamic content i.e., the server
generates the content on the fly
Basic structure of web traffic
Client Server

HTTP Request
Browser Web

User clicks

HTTP uses a message-based model in which a

client sends a request message, and the server
returns a response message.
Basic structure of web traffic
Client Server

HTTP Request
Browser Web server

User clicks

HTTP uses a message-based model in which a

client sends a request message, and the server
returns a response message.
 Basic structure of web traffic
Client Server

HTTP Request
Browser Web server

User clicks

• Requests contain:
• The URL of the resource the client wishes to obtain
• Headers describing what the browser can do

• Requests be GET or POST

• GET: all data is in the URL itself (supposed to have no side-effects)
• POST: includes the data as separate fields (can have side-effects)
 Basic structure of web traffic
Client Server

HTTP
Browser Web serverResponse

User clicks

• Responses contain:
• Status code
• Headers describing what the server provides
• Data
•
Cookies
 HTTP GET
The GET method is designed to retrieve resources. It can be used to
send parameters to the requested resource in the URL query string.
 HTTP GET
requests
[Link]

GET / HTTP/2
Host: [Link] User-Agent is typically a browser but it can be wget, JDK, etc.
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/111.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/
webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie:
1P_JAR=2023-03-29-09;AEC=AUEFqZet9DC1WrCwM24FVX_U………
 HTTP GET
requests
GET /images/branding/googlelogo/2x/googlelogo_light_color_272x92dp.png HTTP/2
Host: [Link]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [Link]
Connection: keep-alive
Cookie: 1P_JAR=2023-03-30-04; AEC=AUEFqZcgISIG-XvJMWPOAMG1CDurktRC7
HTTP POST
 HTTP POST requests
Contain headers and body (data). Request to upload
(POST) data to a resource (a program) hosted at a URL.
POST /gen_204? HTTP/2
Host: [Link]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [Link]
Connection: keep-alive
Cookie: 1P_JAR=2023-03-30-04; AEC=AUEFqZcgISIG-XvJMWPOAMG1CDurktRC7
Atyp i
Ei: _RYlZLOfCKGnkdUPgvSUyAM
Ct: slh
V:t1
Im:M..........
 Headers
• Accept tells the server what kinds of content the client is willing to accept,
such as image types, office document formats, and so on.

• Accept-Encoding tells the server what kinds of content encoding the client is
willing to accept.

• Cookie submits cookies to the server that the server previously issued.

• Host specifies the hostname that appeared in the full URL being requested.

• Referer specifies the URL from which the current request originated.

• User-Agent provides information about the browser or other client software

that generated the request.

• Connection HTTP keep-alive, a.k.a., HTTP persistent connection, is an

instruction that allows a single TCP connection to remain open for multiple
HTTP requests/responses Next slide for more details
 HTTP responses - HTTP connection
• HTTP keep-alive, a.k.a., HTTP persistent connection, is an instruction that allows a single
TCP connection to remain open for multiple HTTP requests/responses.

• When someone visits your site, their browser needs to create new connections to request
each of the files that make up your web pages (e.g. images, Javascript, and CSS
stylesheets) if keep alive is off

• Default on HTTP/2.0 is ‘keep alive’

 HTTP response
HTTP/2 200 OK
accept-ranges: bytes
vary: Accept-Encoding, Origin
content-encoding: gzip
content-type: text/javascript; charset=UTF-8
content-length: 70747
date: Thu, 30 Mar 2023 [Link] GMT
last-modified: Wed, 11 Aug 2021 [Link] GMT
expires: Fri, 29 Mar 2024 [Link] GMT
cache-control: public, max-age=31536000
Server:sffe Static File Front End (SFFE) is a proprietary web
Actual content…. server software that Google uses for its web
infrastructure

<html> …… </html>
More headers
Custom Headers
 HTTPS

• HTTPS (HyperText Transfer Protocol Secure) is an encrypted

version of the HTTP protocol. It uses SSL/TLS to encrypt all
communication between a client and a server. This secure
connection allows clients to be sure that they are connected
with the intended server, and to exchange sensitive data.
Cryptographic System & Standards
SSL/TLS: A packaged set of cryptographic protections, including
confidentiality, authentication, and integrity for protecting
dialogues

When two parties communicate using a cryptographic system,

they need to use a specific cryptographic system standard
 Cryptographic System Stages

3-25
 Handshaking Stage 1:
Cipher Suite Options
A cipher suite is a specific set of security methods and options for a particular cryptographic system standard (e.g.,
SSL/TLS)

TLS_KeyExchange_Asymmetric_Symmetric_Hash
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_SHA384
TLS_DHE_RSA_WITH_AES_128_SHA256
 Handshaking Stage 2:

3-27
 Handshaking Stage 3
• Keying Stage
• Diffie-Hellman key exchange, Station to Station
Protocol

3-28
 Message-by-Message Authentication
• Message-by-message authentication can protect
messages against man-in-the-middle and replay
attacks
• Man-in-the-middle (MITM) attack
• Form of attack in which an attacker intercepts
messages being sent between two parties and
forward them on
• Replay attack
• Occurs when an attacker intercepts an
encrypted message and transmits it again later
3-29
 Digital Signature Message Authentication

3-30
 Key-Hashed Message Authentication
Code(HMAC)

3-31
 HTTPS attacks

• Downgrade Attacks
• Mixed Content
• SSL Strip
SSL Strip (1)
 SSL Strip (1)

SSL Strip attacks can be implemented in a number of ways. Three of the most
common methods are listed below:

1. Manually set the proxy of the browser to route all traffic

2. ARP Poisoning
3. Create a Hotspot and allow the victims connect to it
 TLS Downgrade Attack

A downgrade attack makes a protocol abandon a high-quality mode of operation

(e.g. an encrypted connection) in favor of an older, lower-quality mode of
operation (e.g. cleartext) that is typically provided for backward compatibility with
older systems.

An example of such a flaw was found in OpenSSL that allowed the attacker to
negotiate the use of a lower version of TLS between the client and server.
 Mixed Content
• Mixed content occurs when initial HTML is loaded over a secure HTTPS
connection, but other resources (such as images, videos, stylesheets,
scripts) are loaded over an insecure HTTP connection.
 Defense
• Remove backward compatibility for older and insecure TLS
versions

• For critical sites, like online banking, go to the HTTPS (SSL)

• Original Version of the site from your machine while using a secure
network, and then bookmark that page. Then, always open the site
by accessing the bookmark whenever you want to visit that page.

• At Server side: HTTP Strict Transport Security

• At User side: Forced HTTPS / Always On

• Do not bypass certificate warnings and do not continue browsing

that website.
 Observe
• In your browser settings
• Disable HTTP Always On
• Visit [Link] and check if it redirects you to [Link]
. Which sites do this?
• Visit [Link] and observe the behavior
with HTTPS Always On enabled and disabled.
• How does the browser alert the user of HTTP only content?
• How does the browser alert the user of mixed content?
• Enable HTTPS Always On
• Type about:config
• What is the max and min TLS version accepted by your browser?
• Are deprecated versions of TLS allowed?
• [Link] Visit this for examples of bad certificates.
Home Task: What makes a browser secure?
 Next Cookies
HTTP is
• The lifetime of anstateless
HTTP session is typically:
• Client connects to the server Client issues a request
• Server responds

• HTTP has no means of noting “oh this is the same

client from that previous session”

• With this alone, you’d have to log in at every page load