On the (in)Security and Weaknesses of Commonly Used Applications on Large-Scale Distributed Systems.

The modern use of communication, the information they contain and their protection at all stages (creation, storage, sending and receiving) have resulted in infrastructures that exponentially grow year by year and that must be accurately protected if we want to communicate with our interlocutors without others interfering (on purpose or unintentionally), intercepting, modifying or damaging our communication fraudulently. Today most of the information flowing over the Internet is transported over large-scale distributed systems by the secure version of the HTTP protocol (the HTTPS protocol). The use of Cryptography within the HTTPS protocol provides a fair level of security that makes users sleep peacefully and, even worse/better (depending on the point-of-view), trust the entire communication flow passing through the large-distributed systems. The paper shows how it is possible to analyze web applications that use the TLS protocol for protecting the communications, with the main purpose of doing reverse engineering on it and try to do a kind of Vulnerability Assessmentaimed at improving the security of such web applications. Authors discovered serious flaws in several large-scale distributed systems/applications: those flaws were exploited for reading and modifying messages sent over a secure HTTPS communication channel or, on the other side, that can be used for understanding the inner functioning of a given application. Authors show that it is quite common to see login/passwords in clear-text going back and forth over the network. Last but not least, the proposed approach undermines the basis of the mutual trust between institutions when such trust is based on the principle of the federated identity within institutions.