Title :
An HTTP Extension for Secure Transfer of Confidential Data
Author_Institution :
Dept. Appl. Inf., Hosei Univ., Tokyo, Japan
Abstract :
Users´ confidential data in transit on the WWW are protected by the HTTP´s authentication scheme or the SSL protocol. However, the former has several weak points in terms of security, while the latter has a few problems against its wide deplotmemt. To alleviate the problems, we propose a scheme for user-initiated server authentication and two schemes for protecting against the cross-site-scripting (XSS) and cross-site reference forgery (XSRF) attacks. Server authentication fails when phishing, pharming, and MITM attacks are deployed, leading to the detection of those attacks. The protection schemes can thwart MITM, as well as XSS and XSRF. We integrate our schemes into the HTTP and extend the browser so that the user can start server authentication when a loaded Web page has a form for submitting data and the user notifies the browser that his/her submitting data are confidential. The browser invokes the protection schemes when the page has no submission form, since XSS and XSRF are deployed without the user´s awareness, i.e., without the submission form.
Keywords :
Internet; message authentication; network servers; online front-ends; transport protocols; unsolicited e-mail; HTTP extension; MITM attack; SSL protocol; WWW; Web page; authentication scheme; browser; confidential data transfer security; cross-site reference forgery attack; cross-site-scripting attack; pharming attack; phishing attack; user-initiated server authentication; Application software; Authentication; Data security; Forgery; Informatics; Protection; Protocols; Secure storage; Web server; World Wide Web; Authentication; HTTP; HTTP cookie; key establishment; same origin policy; trust agent;
Conference_Titel :
Networking, Architecture, and Storage, 2009. NAS 2009. IEEE International Conference on
Conference_Location :
Hunan
Print_ISBN :
978-0-7695-3741-2
DOI :
10.1109/NAS.2009.21
