Quantifying User Password Exposure to Third-Party CDNs

TL;DR

This paper measures how many websites expose user passwords to third-party CDNs due to HTTPS termination, revealing significant privacy risks and highlighting the need for better encryption practices.

Contribution

It provides the first large-scale quantification of user password exposure to third-party CDNs and emphasizes the security implications of current HTTPS termination practices.

Findings

Over 12,451 websites use CDNs with login pages.

33% of these websites expose user passwords to CDNs.

Less than 17% encrypt passwords in HTTPS to prevent exposure.

Abstract

Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website's user sensitive information such as a user's login password to a third-party CDN. In this paper, we measure and quantify the extent of user password exposure to third-party CDNs. We find that among Alexa top 50K websites, at least 12,451 of them use CDNs and contain user login entrances. Among those websites, 33% of them expose users' passwords to the CDNs, and a popular CDN may observe passwords from more than 40% of its customers. This result suggests that if a CDN infrastructure has a vulnerability or an insider attack, many users' accounts will be at risk. If we assume the attacker is a passive eavesdropper, a website can avoid this vulnerability by encrypting users' passwords in HTTPS connections. Our measurement shows that less than 17% of the websites adopt this countermeasure.