Title :
HTTPSLock: Enforcing HTTPS in Unmodified Browsers with Cached Javascript
Author :
Fung, Adonis P H ; Cheung, K.W.
Author_Institution :
Dept. of Inf. Eng., Chinese Univ. of Hong Kong, Hong Kong, China
Abstract :
HTTPS is designed to protect a connection against eavesdropping and man-in-the-middle attacks. HTTPS is however often compromised and voided when users are to embrace invalid certificates or disregard if HTTPS is being used. The current HTTPS deployment relies on unsophisticated users to safeguard themselves by performing legitimacy judgment. We propose HTTPS Lock, a simple and immediate approach to enforce HTTPS security. HTTPS Lock can be deployed to a website with a valid certificate by simply including several Javascript and HTML files, which will be cached in browsers. Similar to the trust-on-first-use model used by SSH, the trusted code cached on the client-side can effectively enforce the use of HTTPS and forbid users to embrace invalid certificates for any compromised networks subsequently encountered. Over 72% of major web browsers are supported, and further growth is expected. In any situation where the protection is unsupported or expired, the current security standard is gracefully maintained. As desired, the deployment is not hindered by standardization and collaboration from browser vendors as with other proposals.
Keywords :
Java; Web sites; cache storage; certification; computer network security; cryptographic protocols; online front-ends; transport protocols; HTTPS security; HTTPSLock; Web browser; Web site; cached Javascript; eavesdropping attack; invalid certificate; man in the middle attack; security standard; unmodified browser; Browsers; Indexes; Portals; Proposals; Protocols; Security; Servers; HTTPS deployment; browser security; man-in-the-middle attacks;
Conference_Titel :
Network and System Security (NSS), 2010 4th International Conference on
Conference_Location :
Melbourne, VIC
Print_ISBN :
978-1-4244-8484-3
Electronic_ISBN :
978-0-7695-4159-4
DOI :
10.1109/NSS.2010.84
