Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website's user sensitive information such as a user's login password to a third-party CDN. In this paper, we measure and quantify the extent of user password exposure to third-party CDNs. We find that among Alexa top 50K websites, at least 12,451 of them use CDNs and contain user login entrances. Among those websites, 33% of them expose users' passwords to the CDNs, and a popular CDN may observe passwords from more than 40% of its customers. This result suggests that if a CDN infrastructure has a security vulnerability or an insider attack, many users' accounts will be at risk. A simple fix to this security vulnerability is for a website to encrypt a user's password inside the HTTPS request. Our measurement shows that less than 17% of the websites adopt this solution.
翻译:通常使用内容发布网络(CDN)来进行性能和安全。 随着网络流量正在达到100%的 HTTPS, 越来越多的网站允许CDN终止 HTPS 连接。 这种做法可能会暴露网站用户敏感信息, 如用户登录密码到第三方的 CDN 。 在本文中, 我们测量并量化用户密码接触第三方CDN 的程度。 我们发现在前50K 网站中, 至少有12, 451 个网站使用CDN 并包含用户登录入口。 在这些网站中, 33% 将用户密码显示到 CDN, 受欢迎的CDN 可能观察40%以上的客户的密码。 这个结果显示, 如果 CDN 基础设施存在安全脆弱性或内部攻击, 许多用户的账户将面临风险。 对这种安全脆弱性的简单修正是让网站在 HTTPS 请求中加密用户密码。 我们的测量显示, 不到17%的网站采用这一解决方案。