Paper: Web-based Attacks on Host-Proof Encrypted Storage
04/11/2012Web-based Attacks on Host-Proof Encrypted Storage
Abstract:
Cloud-based storage services, such as Wuala, and password managers, such as LastPass, are examples of so called host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing.
We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces.
Information:
Paper by K. Bhargavan, A. Delignat-Lavaud – 6th USENIX Workshop on Offensive Technologies (WOOT’12) - PDF Download
Brief Discussion:
This interesting paper describes a series of attacks vs. web-based, storage-only services. In principle all data can be stored in a totally encrypted manner since server-based computation is not needed. First issues come up when the browser is involved – how should be browser treat the encrypted data received from the server?
The paper describes several attacks, which are in general known for years (CSRF etc.), how the architecture can be tricked to disclose e.g. username/password for the service. Although the attacks are not brand-new, the authors make use of them to introduce real-world attacks on well-known services. Therefore, papers like this are needed for showing the other side of the medal – Dropbox & Co bring along their own security issues.
