Quantifying User Password Exposure to Third-Party CDNs
Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website's user sensitive information such as a user's lo...
Gespeichert in:
| Hauptverfasser: | , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Xin, Rui Lin, Shihan Yang, Xiaowei |
| description | Web services commonly employ Content Distribution Networks (CDNs) for
performance and security. As web traffic is becoming 100% HTTPS, more and more
websites allow CDNs to terminate their HTTPS connections. This practice may
expose a website's user sensitive information such as a user's login password
to a third-party CDN. In this paper, we measure and quantify the extent of user
password exposure to third-party CDNs. We find that among Alexa top 50K
websites, at least 12,451 of them use CDNs and contain user login entrances.
Among those websites, 33% of them expose users' passwords to the CDNs, and a
popular CDN may observe passwords from more than 40% of its customers. This
result suggests that if a CDN infrastructure has a vulnerability or an insider
attack, many users' accounts will be at risk. If we assume the attacker is a
passive eavesdropper, a website can avoid this vulnerability by encrypting
users' passwords in HTTPS connections. Our measurement shows that less than 17%
of the websites adopt this countermeasure. |
| doi_str_mv | 10.48550/arxiv.2301.03690 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2301_03690</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2301_03690</sourcerecordid><originalsourceid>FETCH-LOGICAL-a670-3ab148351fc285fba36a7a2a96efcc1d6c872be5f0b2ca198f4dc7ab903cd36f3</originalsourceid><addsrcrecordid>eNotj71OwzAYAL10QIUHYMIvkGD7ix1nRKFApaoUKczR57_WUmkqO4Xm7VEL022nO0LuOSsrLSV7xHSO36UAxksGqmE3RH2c8DDGMMXDln5mn-gGc_4ZkqOL83HIp-TpONBuF5MrNpjGibbP63xLZgH32d_9c066l0XXvhWr99dl-7QqUNWsADS80iB5sELLYBAU1iiwUT5Yy52yuhbGy8CMsMgbHSpnazQNA-tABZiThz_tNbw_pviFaeovA_11AH4BD-pAwA</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Quantifying User Password Exposure to Third-Party CDNs</title><source>arXiv.org</source><creator>Xin, Rui ; Lin, Shihan ; Yang, Xiaowei</creator><creatorcontrib>Xin, Rui ; Lin, Shihan ; Yang, Xiaowei</creatorcontrib><description>Web services commonly employ Content Distribution Networks (CDNs) for
performance and security. As web traffic is becoming 100% HTTPS, more and more
websites allow CDNs to terminate their HTTPS connections. This practice may
expose a website's user sensitive information such as a user's login password
to a third-party CDN. In this paper, we measure and quantify the extent of user
password exposure to third-party CDNs. We find that among Alexa top 50K
websites, at least 12,451 of them use CDNs and contain user login entrances.
Among those websites, 33% of them expose users' passwords to the CDNs, and a
popular CDN may observe passwords from more than 40% of its customers. This
result suggests that if a CDN infrastructure has a vulnerability or an insider
attack, many users' accounts will be at risk. If we assume the attacker is a
passive eavesdropper, a website can avoid this vulnerability by encrypting
users' passwords in HTTPS connections. Our measurement shows that less than 17%
of the websites adopt this countermeasure.</description><identifier>DOI: 10.48550/arxiv.2301.03690</identifier><language>eng</language><subject>Computer Science - Cryptography and Security ; Computer Science - Networking and Internet Architecture</subject><creationdate>2023-01</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2301.03690$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2301.03690$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Xin, Rui</creatorcontrib><creatorcontrib>Lin, Shihan</creatorcontrib><creatorcontrib>Yang, Xiaowei</creatorcontrib><title>Quantifying User Password Exposure to Third-Party CDNs</title><description>Web services commonly employ Content Distribution Networks (CDNs) for
performance and security. As web traffic is becoming 100% HTTPS, more and more
websites allow CDNs to terminate their HTTPS connections. This practice may
expose a website's user sensitive information such as a user's login password
to a third-party CDN. In this paper, we measure and quantify the extent of user
password exposure to third-party CDNs. We find that among Alexa top 50K
websites, at least 12,451 of them use CDNs and contain user login entrances.
Among those websites, 33% of them expose users' passwords to the CDNs, and a
popular CDN may observe passwords from more than 40% of its customers. This
result suggests that if a CDN infrastructure has a vulnerability or an insider
attack, many users' accounts will be at risk. If we assume the attacker is a
passive eavesdropper, a website can avoid this vulnerability by encrypting
users' passwords in HTTPS connections. Our measurement shows that less than 17%
of the websites adopt this countermeasure.</description><subject>Computer Science - Cryptography and Security</subject><subject>Computer Science - Networking and Internet Architecture</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj71OwzAYAL10QIUHYMIvkGD7ix1nRKFApaoUKczR57_WUmkqO4Xm7VEL022nO0LuOSsrLSV7xHSO36UAxksGqmE3RH2c8DDGMMXDln5mn-gGc_4ZkqOL83HIp-TpONBuF5MrNpjGibbP63xLZgH32d_9c066l0XXvhWr99dl-7QqUNWsADS80iB5sELLYBAU1iiwUT5Yy52yuhbGy8CMsMgbHSpnazQNA-tABZiThz_tNbw_pviFaeovA_11AH4BD-pAwA</recordid><startdate>20230109</startdate><enddate>20230109</enddate><creator>Xin, Rui</creator><creator>Lin, Shihan</creator><creator>Yang, Xiaowei</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20230109</creationdate><title>Quantifying User Password Exposure to Third-Party CDNs</title><author>Xin, Rui ; Lin, Shihan ; Yang, Xiaowei</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a670-3ab148351fc285fba36a7a2a96efcc1d6c872be5f0b2ca198f4dc7ab903cd36f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Computer Science - Networking and Internet Architecture</topic><toplevel>online_resources</toplevel><creatorcontrib>Xin, Rui</creatorcontrib><creatorcontrib>Lin, Shihan</creatorcontrib><creatorcontrib>Yang, Xiaowei</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Xin, Rui</au><au>Lin, Shihan</au><au>Yang, Xiaowei</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Quantifying User Password Exposure to Third-Party CDNs</atitle><date>2023-01-09</date><risdate>2023</risdate><abstract>Web services commonly employ Content Distribution Networks (CDNs) for
performance and security. As web traffic is becoming 100% HTTPS, more and more
websites allow CDNs to terminate their HTTPS connections. This practice may
expose a website's user sensitive information such as a user's login password
to a third-party CDN. In this paper, we measure and quantify the extent of user
password exposure to third-party CDNs. We find that among Alexa top 50K
websites, at least 12,451 of them use CDNs and contain user login entrances.
Among those websites, 33% of them expose users' passwords to the CDNs, and a
popular CDN may observe passwords from more than 40% of its customers. This
result suggests that if a CDN infrastructure has a vulnerability or an insider
attack, many users' accounts will be at risk. If we assume the attacker is a
passive eavesdropper, a website can avoid this vulnerability by encrypting
users' passwords in HTTPS connections. Our measurement shows that less than 17%
of the websites adopt this countermeasure.</abstract><doi>10.48550/arxiv.2301.03690</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2301.03690 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2301_03690 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security Computer Science - Networking and Internet Architecture |
| title | Quantifying User Password Exposure to Third-Party CDNs |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-02T14%3A24%3A15IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Quantifying%20User%20Password%20Exposure%20to%20Third-Party%20CDNs&rft.au=Xin,%20Rui&rft.date=2023-01-09&rft_id=info:doi/10.48550/arxiv.2301.03690&rft_dat=%3Carxiv_GOX%3E2301_03690%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |