Attacks on HTTPS Connections

Tapped in


The vulnerabilities presented in this article have led to a lack of confidence in encrypted connections, but they have effective countermeasures, as well, and the dangers can be controlled. The biggest problem is the existing certification system. Browsers and operating systems simply trust too many CAs on faith. If any one of them plays false, they are successfully attacked; if they don't work properly, valid but unauthorized certificates are created that make attacks much easier for a MitM.

Public key pinning and certificate pinning make it much more difficult for these attacks to be successful. Google, for example, has discovered wrongly issued certificates for its Google domains on many occasions using these methods, so the danger is absolutely real.


  1. Perfect forward secrecy:
  2. OWASP: "Certificate and Public Key Pinning":
  3. "EMET 4.0's Certificate Trust feature" by Elia Florio:
  4. RFC 7469: Public Key Pinning extension for HTTP:
  5. OWASP: "HTTP Strict Transport Security":
  6. Moxie Marlinspike: sslstrip:
  7. "PSA: In Firefox 44 Nightly" by Richard Barnes:
  8. RFC 6797: HTTP Strict Transport Security (HSTS):
  9. "CookieMonster nabs user creds from secure sites" by Dan Goodin:
  10. "Firesheep: Baaaaad News for the Unwary" by Brian Krebs:
  11. RFC 7465: Prohibiting RC4 cipher suites:

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=