SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting

Author

Unger, T. ; Mulazzani, Martin ; Fruhwirt, Dominik ; Huber, Marco ; Schrittwieser, Sebastian ; Weippl, Edgar

Author_Institution

FH Campus Wien, Vienna, Austria

fYear

2013

fDate

2-6 Sept. 2013

Firstpage

255

Lastpage

261

Abstract

Session hijacking has become a major problem in today´s Web services, especially with the availability of free off-the-shelf tools. As major websites like Facebook, You tube and Yahoo still do not use HTTPS for all users by default, new methods are needed to protect the users´ sessions if session tokens are transmitted in the clear. In this paper we propose the use of browser fingerprinting for enhancing current state-of-the-art HTTP(S) session management. Monitoring a wide set of features of the user´s current browser makes session hijacking detectable at the server and raises the bar for attackers considerably. This paper furthermore identifies HTML5 and CSS features that can be used for browser fingerprinting and to identify or verify a browser without the need to rely on the User Agent string. We implemented our approach in a framework that is highly configurable and can be added to existing Web applications and server-side session management with ease.

Keywords

Web services; online front-ends; security of data; social networking (online); transport protocols; CSS; Facebook; HTML5; HTTP(S) session management; SHPF; Web services; Websites; Yahoo; You tube; browser fingerprinting; free off-the-shelf tools; session hijacking; user agent string; Browsers; Cascading style sheets; Fingerprint recognition; IP networks; Monitoring; Security; Servers; Browser Fingerprinting; Security; Session Hijacking;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security (ARES), 2013 Eighth International Conference on

Conference_Location

Regensburg

Type

conf

DOI

10.1109/ARES.2013.33

Filename

6657249