SSL validation and stripping using trustworthiness factors

US 7,739,494 B1
Filed: 09/13/2005
Issued: 06/15/2010
Est. Priority Date: 04/25/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for thwarting computer attacks, said method comprising the steps of:

examining a digital certificate presented by a server computer in response to a secure sockets layer (SSL) session initiated by a client computer;

compiling a set of suspicion indications gleaned from said examining step;

feeding said suspicion indications to a trustworthiness calculation engine;

outputting from said engine a trustworthiness factor that indicates a suspicion that the digital certificate is part of a computer attack;

determining whether to use SSL stripping on communications with said server computer responsive to an evaluation of said trustworthiness factor; and

responsive to a positive determination to use SSL stripping, performing SSL stripping on communications between said client computer and said server computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented methods, apparati, and computer-readable media for thwarting computer attacks. A method embodiment of the present invention comprises the steps of examining (52) a digital certificate (20) presented by a server computer (2); compiling (53) a set of suspicion indications (31) gleaned from said examining step (52); feeding (54) said suspicion indications (31) to a trustworthiness calculation engine (30); and outputting from said engine (30) a trustworthiness factor (32) that determines whether SSL stripping is to be used (57) on communications with said server computer (2).

181 Citations

20 Claims

1. A computer-implemented method for thwarting computer attacks, said method comprising the steps of:
- examining a digital certificate presented by a server computer in response to a secure sockets layer (SSL) session initiated by a client computer;
  
  compiling a set of suspicion indications gleaned from said examining step;
  
  feeding said suspicion indications to a trustworthiness calculation engine;
  
  outputting from said engine a trustworthiness factor that indicates a suspicion that the digital certificate is part of a computer attack;
  
  determining whether to use SSL stripping on communications with said server computer responsive to an evaluation of said trustworthiness factor; and
  
  responsive to a positive determination to use SSL stripping, performing SSL stripping on communications between said client computer and said server computer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein at least one suspicion indication is an indication from the group of indications consisting of:
    - a self-signed digital certificate;
      
      a digital certificate that was not issued by a trusted signing authority;
      
      a digital certificate having a common name comprising an Internet Protocol (IP) address;
      
      a digital certificate having a common name comprising a domain name that does not match an IP address of the server computer that presented the digital certificate;
      
      the server computer having a disfavored geographical location; and
      
      the server computer being hosted by a dialup connection, cable modem, or digital subscriber line (DSL).
  - 3. The method of claim 1 wherein at least one suspicion indication is the digital certificate having a common name comprising a domain name that does not match an IP address of the server computer that presented the digital certificate and wherein a reverse domain name system (DNS) lookup is used to determine whether a common name comprising a domain name in the digital certificate matches an IP address of the server computer that presented the digital certificate.
  - 4. The method of claim 1 wherein determining whether to use SSL stripping comprises:
    - comparing the trustworthiness factor to a threshold; and
      
      determining whether to use SSL stripping responsive to the comparison with the threshold.
  - 5. The method of claim 4 wherein comparing the trustworthiness factor to a threshold comprises:
    - evaluating the trustworthiness factor against first and second thresholds, wherein the evaluation against the first threshold indicates whether to block communications between said client computer and said server computer and wherein the evaluation against the second threshold indicates whether to allow communications between said client computer and said server computer without using SSL stripping.

6. At least one non-transitory computer-readable storage medium containing executable computer program instructions for thwarting computer attacks, said computer program instructions performing the steps of:
- examining a digital certificate presented by a server computer in response to a secure sockets layer (SSL) session initiated by a client computer;
  
  compiling a set of suspicion indications gleaned from said examining step;
  
  feeding said suspicion indications to a trustworthiness calculation engine;
  
  outputting from said engine a trustworthiness factor that indicates a suspicion that the digital certificate is part of a computer attack;
  
  determining whether to use SSL stripping on communications with said server computer responsive to an evaluation of said trustworthiness factor; and
  
  responsive to a positive determination to use SSL stripping, performing SSL stripping on communications between said client computer and said server computer.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The at least one non-transitory computer-readable medium of claim 6 wherein at least one suspicion indication is an indication from the group of indications consisting of:
    - a self-signed digital certificate;
      
      a digital certificate that was not issued by a trusted signing authority;
      
      a digital certificate having a common name comprising an Internet Protocol (IP) address;
      
      a digital certificate having a common name comprising a domain name that does not match an IP address of the server computer that presented the digital certificate;
      
      the server computer having a disfavored geographical location; and
      
      the server computer being hosted by a dialup connection, cable modem, or digital subscriber line (DSL).
  - 8. The at least one non-transitory computer-readable medium of claim 6 wherein at least one suspicion indication is the digital certificate having a common name comprising a domain name that does not match an IP address of the server computer that presented the digital certificate and wherein a reverse domain name system (DNS) lookup is used to determine whether a common name comprising a domain name in the digital certificate matches an IP address of the server computer that presented the digital certificate.
  - 9. The at least one non-transitory computer-readable medium of claim 6 wherein determining whether to use SSL stripping comprises:
    - comparing the trustworthiness factor to a threshold; and
      
      determining whether to use SSL stripping responsive to the comparison with the threshold.
  - 10. The at least one non-transitory computer-readable medium of claim 9 wherein comparing the trustworthiness factor to a threshold comprises:
    - evaluating the trustworthiness factor against first and second thresholds, wherein the evaluation against the first threshold indicates whether to block communications between said client computer and said server computer and wherein the evaluation against the second threshold indicates whether to allow communications between said client computer and said server computer without using SSL stripping.

11. An apparatus for thwarting computer attacks, said apparatus comprising:
- at least one non-transitory computer-readable storage medium containing executable computer program instructions, said computer program instructions performing the steps of;
  
  examining a digital certificate presented by a server computer in response to a secure sockets layer (SSL) session initiated by a client computer;
  
  compiling a set of suspicion indications gleaned from said examining step;
  
  feeding said suspicion indications to a trustworthiness calculation engine;
  
  outputting from said engine a trustworthiness factor that indicates a suspicion that the digital certificate is part of a computer attack;
  
  determining whether to use SSL stripping on communications with said server computer responsive to an evaluation of said trustworthiness factor; and
  
  responsive to a positive determination to use SSL stripping, performing SSL stripping on communications between said client computer and said server computer.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, wherein at least one suspicion indication is the digital certificate being self-signed.
  - 13. The apparatus of claim 11, wherein at least one suspicion indication is the digital certificate not being issued by a trusted signing authority.
  - 14. The apparatus of claim 11, wherein at least one suspicion indication is the digital certificate having a common name comprising an Internet Protocol (IP) address.
  - 15. The apparatus of claim 11, wherein at least one suspicion indication is the digital certificate having a common name comprising a domain name that does not match an IP address of the server computer that presented the digital certificate.
  - 16. The apparatus of claim 15, wherein a reverse domain name system (DNS) lookup is used to determine whether a common name comprising a domain name in the digital certificate matches an IP address of the server computer that presented the digital certificate.
  - 17. The apparatus of claim 11, wherein at least one suspicion indication is the digital certificate having a disfavored geographical location.
  - 18. The apparatus of claim 11, wherein at least one suspicion indication is the digital certificate being hosted by a dialup connection, cable modem, or digital subscriber line (DSL).
  - 19. The apparatus of claim 11, wherein determining whether to use SSL stripping comprises:
    - comparing the trustworthiness factor to a threshold; and
      
      determining whether to use SSL stripping responsive to the comparison with the threshold.
  - 20. The apparatus of claim 11, wherein comparing the trustworthiness factor to a threshold comprises:
    - evaluating the trustworthiness factor against first and second thresholds, wherein the evaluation against the first threshold indicates whether to block communications between said client computer and said server computer and wherein the evaluation against the second threshold indicates whether to allow communications between said client computer and said server computer without using SSL stripping.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., McCorkendale, Bruce
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Schwartz; Darren

Application Number

US11/226,766
Time in Patent Office

1,736 Days
Field of Search

713150-156, 713158-159, 713169-170, 713/175, 713187-188, 713193-194, 726/2, 726 10- 13, 726/15, 726 22- 25
US Class Current

713/156
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/166 at the transport layer

SSL validation and stripping using trustworthiness factors

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SSL validation and stripping using trustworthiness factors

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links