Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Secure Web Authentication against Deceiving URLs and Compromised Root Certificate Authorities

IP.com Disclosure Number: IPCOM000244917D
Publication Date: 2016-Jan-29
Document File: 8 page(s) / 529K

Publishing Venue

The IP.com Prior Art Database

Related People

Yuhui Wen: INVENTOR

Abstract

This publication proposes a way to perform web authentication securely when under attack from deceiving URLs or compromised root or subordinate certificate authorities. The solution uses an approach similar to Diffie-Hellman, but eliminating the possibility of the man-in-the-middle attack. The solution further verifies the server certificate chain owned by the server and the one seen by the user to further eliminate the attacks.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 22% of the total text.

Page 01 of 8

 Secure Web Authentication against Deceiving URLs and Compromised Root Certificate Authorities

Yuhui Wen

Symantec Corporation

Abstract

This publication proposes a way to perform web authentication securely when under attack from deceiving URLs or compromised root or subordinate certificate authorities. The solution uses an approach similar to Diffie-Hellman, but eliminating the possibility of the man-in-the-middle attack. The solution further verifies the server certificate chain owned by the server and the one seen by the user to further eliminate the attacks.

Copyright © 2016 Symantec Corporation. All rights reserved.

1


Page 02 of 8

Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. For a full list of Symantec trademarks, please visit http://www.symantec.com/about/profile/policies/trademarks/currentlist.jsp

Any Symantec products described in this document are distributed under licenses restricting their use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 United States

http://www.symantec.com

2

Copyright © 2016 Symantec Corporation. All rights reserved.


Page 03 of 8

Secure Web Authentication against Deceiving URLs and Compromised Root Certificate Authorities

Introduction

HTTPS is often used to authenticate servers and secure communication channels so that communication content between a user and a server is not leaked. However, HTTPS may be prone to the following vulnerabilities:

Deceiving URLs

An attacker can use a deceiving Uniform Resource Locator (URL) which may look similar to a valid URL to disguise the valid server in order to obtain the user's credential. A deceiving URL can be a created by replacing characters with similar appearance, such as '0' instead 'o', or, '1' instead of 'l', or by inserting or removing a few characters. This can be detected with careful examination of the URLs.

The increasingly popular International Domain Name (IDN) can be exploited in an IDN homograph attack.1 In 2009, an IDN homograph attack appeared to target Hotma...