Title: Secure inspection of web transactions

Authors: Mika Rautila; Jani Suomalainen

Addresses: VTT Technical Research Centre of Finland, Vuorimiehentie 3, Espoo, Finland ' VTT Technical Research Centre of Finland, Vuorimiehentie 3, Espoo, Finland

Abstract: Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.

Keywords: WWW; internet; secure transactions; banking; authentication; weak certification; interceptor; man-in-the-browser; web transactions; transaction security; HTTPS traffic interception; interception control; embedded systems; HTML documents; root certifiers; malware; USB devices; mobile phones; cell phones; financial transactions.

DOI: 10.1504/IJITST.2012.054058

International Journal of Internet Technology and Secured Transactions, 2012 Vol.4 No.4, pp.253 - 271

Received: 30 May 2012
Accepted: 07 Oct 2012

Published online: 09 Aug 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article