HTTPSLock: Enforcing HTTPS in Unmodified Browsers with Cached Javascript

2010 Fourth International Conference on Network and System Security Pub Date : 2010-09-01 DOI:10.1109/NSS.2010.84

Adonis P. H. Fung, K. Cheung

{"title":"HTTPSLock: Enforcing HTTPS in Unmodified Browsers with Cached Javascript","authors":"Adonis P. H. Fung, K. Cheung","doi":"10.1109/NSS.2010.84","DOIUrl":null,"url":null,"abstract":"HTTPS is designed to protect a connection against eavesdropping and man-in-the-middle attacks. HTTPS is however often compromised and voided when users are to embrace invalid certificates or disregard if HTTPS is being used. The current HTTPS deployment relies on unsophisticated users to safeguard themselves by performing legitimacy judgment. We propose HTTPS Lock, a simple and immediate approach to enforce HTTPS security. HTTPS Lock can be deployed to a website with a valid certificate by simply including several Javascript and HTML files, which will be cached in browsers. Similar to the trust-on-first-use model used by SSH, the trusted code cached on the client-side can effectively enforce the use of HTTPS and forbid users to embrace invalid certificates for any compromised networks subsequently encountered. Over 72% of major web browsers are supported, and further growth is expected. In any situation where the protection is unsupported or expired, the current security standard is gracefully maintained. As desired, the deployment is not hindered by standardization and collaboration from browser vendors as with other proposals.","PeriodicalId":127173,"journal":{"name":"2010 Fourth International Conference on Network and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2010-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"18","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 Fourth International Conference on Network and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NSS.2010.84","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 18

Abstract

HTTPS is designed to protect a connection against eavesdropping and man-in-the-middle attacks. HTTPS is however often compromised and voided when users are to embrace invalid certificates or disregard if HTTPS is being used. The current HTTPS deployment relies on unsophisticated users to safeguard themselves by performing legitimacy judgment. We propose HTTPS Lock, a simple and immediate approach to enforce HTTPS security. HTTPS Lock can be deployed to a website with a valid certificate by simply including several Javascript and HTML files, which will be cached in browsers. Similar to the trust-on-first-use model used by SSH, the trusted code cached on the client-side can effectively enforce the use of HTTPS and forbid users to embrace invalid certificates for any compromised networks subsequently encountered. Over 72% of major web browsers are supported, and further growth is expected. In any situation where the protection is unsupported or expired, the current security standard is gracefully maintained. As desired, the deployment is not hindered by standardization and collaboration from browser vendors as with other proposals.

查看原文本刊更多论文

httplock:在未修改的浏览器中使用缓存的Javascript强制HTTPS

HTTPS旨在保护连接免受窃听和中间人攻击。然而，当用户接受无效证书或忽略正在使用HTTPS时，HTTPS经常被破坏和无效。目前的HTTPS部署依赖于简单的用户通过执行合法性判断来保护自己。我们提出HTTPS锁，一个简单而直接的方法来强制HTTPS安全。HTTPS锁可以通过简单地包含几个Javascript和HTML文件部署到具有有效证书的网站，这些文件将缓存在浏览器中。与SSH使用的首次使用信任模型类似，缓存在客户端上的受信任代码可以有效地强制使用HTTPS，并禁止用户为随后遇到的任何受损网络使用无效证书。它支持超过72%的主流浏览器，预计还会进一步增长。在保护不受支持或过期的任何情况下，都将优雅地维护当前的安全标准。正如预期的那样，部署不会像其他提案那样受到来自浏览器供应商的标准化和协作的阻碍。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2010 Fourth International Conference on Network and System Security

自引率

0.00%

发文量