SecSess, a proposal to fundamentally address the security problems of bearer token-related session management mechanisms in the presence of Web attackers and passive/active network attackers. SecSess effectively prevents the transfer of a session without authorization, by introducing an integrity check to the HTTP requests, based on a shared secret. We have designed SecSess to be compatible with currently deployed middleboxes on the Web, such as Web caches or perimeter security devices, a feature that is lacking from related proposals.
The main contribution of SecSess is a simple session management mechanism that addresses the fundamental threat of an unauthorized session transfer. SecSess achieves this security property by determining a shared secret between server and browser during the session establishment phase. The integrity of each request is validated using the shared secret associated with the established session. This effectively prevents the attacker from taking over the session, as he does not know the shared secret, or from fixating the session, as he cannot transfer his shared secret to the user’s browser. SecSess is compatible with current deployment scenarios on the Web, which often use a mixture of HTTP and HTTPS channels, as well as a variety of middleboxes deployed throughout the network infrastructure.
Even though widespread TLS deployment remains the optimal deployment strategy, with which SecSess is fully compatible, the current state of practice shows that full TLS deployment across the Web may be a utopian dream. Therefore, we envision the upgrading of the HTTP session management mechanism within the current movement towards improving the security of the default plaintext channel, with techniques such as opportunistic encryption being proposed to be included in the upcoming HTTP/2.0 specification.
SECSESS: KEEPING YOUR SESSION TUCKED AWAY IN YOUR BROWSER
Session management is a crucial component in every modern Web application. It links multiple requests and temporary stateful information together, enabling a rich and interactive user experience. Unfortunately, the de facto standard cookie-based session management mechanism is imperfect, which is why session management vulnerabilities rank second in the OWASP top 10 of Web application vulnerabilities. While improved session management mechanisms have been proposed, none of them achieves compatibility with currently deployed applications or infrastructure components such as Web caches.
SecSess, a lightweight session management mechanism that addresses common session management vulnerabilities by ensuring a session remains under the control of the parties that established it. SecSess is fully interchangeable with the currently deployed cookie-based session management and can be gradually deployed to clients and servers through an opt-in mechanism. Evaluation of our proof-of-concept implementation shows that SecSess introduces only a minimal performance and networking overhead. Furthermore, we empirically show that SecSess is effectively compatible with commonly used Web caches, in contrast to alternative approaches.
Additional to the complexity of deploying HTTPS, a wide-scale transition to HTTPS severely obstructs the operation of the so-called middleboxes, machines in between the endpoints that cache, inspect or modify traffic. These middleboxes are essential parts of the Web infrastructure, for example by bringing the Web to developing nations through extensive caching and enabling efficient video transmission on mobile phone networks. We acknowledge that wide-scale deployment of HTTPS remains imperative for securing the Web, but also recognize the long and tedious process. This explains why the recent revelations about pervasive monitoring on the Web have sparked multiple proposals looking to transparently upgrade the security properties of the HTTP channel when supported by the endpoints. One prominent proposal is to negotiate an encrypted HTTP channel without verifying the entities’ authentication, which is even proposed as one of the available modes in the upcoming HTTP/2.0 specification. This eagerness to improve the security properties of the HTTP protocol, even by introducing them into the new version, shows that the HTTP protocol will be around for the near future. Therefore, it makes sense to not only upgrade the network-level protocol properties but also take the opportunity to improve the security properties of session management on top of the HTTP protocol.
SecSess, a lightweight session management mechanism that effectively eradicates the bearer token properties of the session identifier in current cookie-based session management mechanisms. SecSess is fully interchangeable with the current cookie-based workflows and can be enabled on an opt-in basis, supporting a gradual migration path. Additionally, SecSess incurs only a minimal computational and network overhead, carefully avoiding the introduction of additional requests and roundtrips. To our knowledge, SecSess is the only session management mechanism explicitly designed to be compatible with currently deployed Web infrastructure, such as the popular Web caches.