Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website's user sensitive information such as a user's login password to a third-party CDN. In this paper, we measure and quantify the extent of user password exposure to third-party CDNs. We find that among Alexa top 50K websites, at least 12,451 of them use CDNs and contain user login entrances. Among those websites, 33% of them expose users' passwords to the CDNs, and a popular CDN may observe passwords from more than 40% of its customers. This result suggests that if a CDN infrastructure has a vulnerability or an insider attack, many users' accounts will be at risk. If we assume the attacker is a passive eavesdropper, a website can avoid this vulnerability by encrypting users' passwords in HTTPS connections. Our measurement shows that less than 17% of the websites adopt this countermeasure.
翻译:网络服务商通常使用内容分发网络(CDN)来提升性能和安全性。随着网络流量全面转向HTTPS,越来越多的网站允许CDN终止其HTTPS连接。这种做法可能导致用户敏感信息(如登录密码)暴露给第三方CDN。本文测量并量化了用户密码对第三方CDN的暴露程度。我们发现,在Alexa排名前5万的网站中,至少有12,451个使用了CDN并包含用户登录入口。在这些网站中,33%的网站将用户密码暴露给了CDN,而一个流行的CDN可能从超过40%的客户中观察到密码。这一结果表明,如果CDN基础设施存在漏洞或遭受内部攻击,许多用户账户将面临风险。假设攻击者为被动窃听者,网站可以通过在HTTPS连接中加密用户密码来避免这一漏洞。我们的测量显示,仅有不到17%的网站采取了这一对策。