Scholars@Duke

Quantifying User Password Exposure to Third-Party CDNs

Publication ,  Conference
Xin, R; Lin, S; Yang, X
Published in: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
January 1, 2023
Published version (DOI)

Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website’s user sensitive information such as a user’s login password to a third-party CDN. In this paper, we measure and quantify the extent of user password exposure to third-party CDNs. We find that among Alexa top 50K websites, at least 12,451 of them use CDNs and contain user login entrances. Among those websites, 33% of them expose users’ passwords to the CDNs, and a popular CDN may observe passwords from more than 40% of its customers. This result suggests that if a CDN infrastructure has a vulnerability or an insider attack, many users’ accounts will be at risk. If we assume the attacker is a passive eavesdropper, a website can avoid this vulnerability by encrypting users’ passwords in HTTPS connections. Our measurement shows that less than 17% of the websites adopt this countermeasure.

Duke Scholars

Xiaowei Yang
Author Xiaowei Yang Computer Science

Published In

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

DOI

10.1007/978-3-031-28486-1_27

EISSN

1611-3349

ISSN

0302-9743

Publication Date

January 1, 2023

Volume

13882 LNCS

Start / End Page

652 / 668

Related Subject Headings

  • Artificial Intelligence & Image Processing
  • 46 Information and computing sciences
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Xin, R., Lin, S., & Yang, X. (2023). Quantifying User Password Exposure to Third-Party CDNs. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 13882 LNCS, pp. 652–668). https://doi.org/10.1007/978-3-031-28486-1_27
Xin, R., S. Lin, and X. Yang. “Quantifying User Password Exposure to Third-Party CDNs.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 13882 LNCS:652–68, 2023. https://doi.org/10.1007/978-3-031-28486-1_27.
Xin R, Lin S, Yang X. Quantifying User Password Exposure to Third-Party CDNs. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2023. p. 652–68.
Xin, R., et al. “Quantifying User Password Exposure to Third-Party CDNs.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13882 LNCS, 2023, pp. 652–68. Scopus, doi:10.1007/978-3-031-28486-1_27.
Xin R, Lin S, Yang X. Quantifying User Password Exposure to Third-Party CDNs. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2023. p. 652–668.

Published In

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

DOI

10.1007/978-3-031-28486-1_27

EISSN

1611-3349

ISSN

0302-9743

Publication Date

January 1, 2023

Volume

13882 LNCS

Start / End Page

652 / 668

Related Subject Headings

  • Artificial Intelligence & Image Processing
  • 46 Information and computing sciences