Title :
SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting
Author :
Unger, T. ; Mulazzani, Martin ; Fruhwirt, Dominik ; Huber, Marco ; Schrittwieser, Sebastian ; Weippl, Edgar
Author_Institution :
FH Campus Wien, Vienna, Austria
Abstract :
Session hijacking has become a major problem in today´s Web services, especially with the availability of free off-the-shelf tools. As major websites like Facebook, You tube and Yahoo still do not use HTTPS for all users by default, new methods are needed to protect the users´ sessions if session tokens are transmitted in the clear. In this paper we propose the use of browser fingerprinting for enhancing current state-of-the-art HTTP(S) session management. Monitoring a wide set of features of the user´s current browser makes session hijacking detectable at the server and raises the bar for attackers considerably. This paper furthermore identifies HTML5 and CSS features that can be used for browser fingerprinting and to identify or verify a browser without the need to rely on the User Agent string. We implemented our approach in a framework that is highly configurable and can be added to existing Web applications and server-side session management with ease.
Keywords :
Web services; online front-ends; security of data; social networking (online); transport protocols; CSS; Facebook; HTML5; HTTP(S) session management; SHPF; Web services; Websites; Yahoo; You tube; browser fingerprinting; free off-the-shelf tools; session hijacking; user agent string; Browsers; Cascading style sheets; Fingerprint recognition; IP networks; Monitoring; Security; Servers; Browser Fingerprinting; Security; Session Hijacking;
Conference_Titel :
Availability, Reliability and Security (ARES), 2013 Eighth International Conference on
Conference_Location :
Regensburg
DOI :
10.1109/ARES.2013.33
