Skip to main content
Journal cover image

Quantifying User Password Exposure to Third-Party CDNs

Publication ,  Conference
Xin, R; Lin, S; Yang, X
Published in: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
January 1, 2023

Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website’s user sensitive information such as a user’s login password to a third-party CDN. In this paper, we measure and quantify the extent of user password exposure to third-party CDNs. We find that among Alexa top 50K websites, at least 12,451 of them use CDNs and contain user login entrances. Among those websites, 33% of them expose users’ passwords to the CDNs, and a popular CDN may observe passwords from more than 40% of its customers. This result suggests that if a CDN infrastructure has a vulnerability or an insider attack, many users’ accounts will be at risk. If we assume the attacker is a passive eavesdropper, a website can avoid this vulnerability by encrypting users’ passwords in HTTPS connections. Our measurement shows that less than 17% of the websites adopt this countermeasure.

Duke Scholars

Published In

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

DOI

EISSN

1611-3349

ISSN

0302-9743

ISBN

9783031284854

Publication Date

January 1, 2023

Volume

13882 LNCS

Start / End Page

652 / 668

Related Subject Headings

  • Artificial Intelligence & Image Processing
  • 46 Information and computing sciences
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Xin, R., Lin, S., & Yang, X. (2023). Quantifying User Password Exposure to Third-Party CDNs. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 13882 LNCS, pp. 652–668). https://doi.org/10.1007/978-3-031-28486-1_27
Xin, R., S. Lin, and X. Yang. “Quantifying User Password Exposure to Third-Party CDNs.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 13882 LNCS:652–68, 2023. https://doi.org/10.1007/978-3-031-28486-1_27.
Xin R, Lin S, Yang X. Quantifying User Password Exposure to Third-Party CDNs. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2023. p. 652–68.
Xin, R., et al. “Quantifying User Password Exposure to Third-Party CDNs.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13882 LNCS, 2023, pp. 652–68. Scopus, doi:10.1007/978-3-031-28486-1_27.
Xin R, Lin S, Yang X. Quantifying User Password Exposure to Third-Party CDNs. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2023. p. 652–668.
Journal cover image

Published In

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

DOI

EISSN

1611-3349

ISSN

0302-9743

ISBN

9783031284854

Publication Date

January 1, 2023

Volume

13882 LNCS

Start / End Page

652 / 668

Related Subject Headings

  • Artificial Intelligence & Image Processing
  • 46 Information and computing sciences