Multisurf: MITM detection using multiple HTTP clients

An increasing number of popular websites support the SSL/TLS protocol, the current standard for encrypting web traffic. Most commonly seen as part of the HTTPS protocol, SSL/TLS provides data and message confidentiality to protect users browsing the web from malicious attackers attempting to eavesdrop or tamper with traffic. Nonetheless, about 48% of popular websites remain insecure by only supporting HTTP connections [8], which are vulnerable to man-in-the-middle (MITM) attacks. Because HTTP traffic is not encrypted nor authenticated, an unsuspecting user may be visiting a specific website without realizing that an adversary has modified the contents of these web pages while in transit. Indeed, such in-flight web page modifications occur in practice with a surprising frequency for various reasons, often resulting in undesirable effects such as injected advertisements, broken pages, and exploitable security vulnerabilities [7]. While the vast majority of changes to web pages in transit have economic incentives for website publishers, [7] also found that a portion of their measured inflight modifications was due to injected malware. To provide web servers with a practical, more affordable alternative to HTTPS, Reis et al. [7] proposed web tripwires, client-side scripts that can detect most modifications to unencrypted web pages. However, this solution requires that website publishers modify their pages to contain these scripts, and users unaware of the installed web tripwires may disregard warning messages as spam. Furthermore, helping website publishers understand and react to any changes made en route does not necessarily help users protect themselves from injected malware. This paper presents Multisurf, a browser extension which checks the integrity of unencrypted web pages helping users detect when their HTTP traffic has been hijacked, and without requiring support from the administrator or owner of the affected website. Multisurf’s collaborative integrity checks detect in-flight changes to websites through a system of trusted peers, end-hosts run by persons or institutions that a user running the Multisurf client trusts. By gathering the peers’ versions of requested web content, the client can verify whether the visited web page was tampered with in transit. Because many changes to web pages en route are not of malicious nature, the Multisurf client displays the result of the integrity check and gives the user the option of viewing the peers’ versions to help her determine if she accepts the in-flight modifications or if she considers the modifications to be malicious, blacklisting the site. Thus, Multisurf leverages out-of-band communication, inter-personal trust and takes user preferences into account giving control to the end user in whether she would like to surf the web in a more aware way. This paper is organized as follows. In Section 2 we outline our system model. Section 3 details Multisurf’s system design and the collaborative integrity check protocol; we evaluate the efficacy and accuracy of Multisurf in Section 4. Section 5 describes some related work, and we discuss directions for future work in Section 6. We conclude in Section 7.