research-article

Forcehttps: protecting high-security web sites from network attacks

Authors:

Collin Jackson,

Adam BarthAuthors Info & Claims

WWW '08: Proceedings of the 17th international conference on World Wide Web

Pages 525 - 534

https://doi.org/10.1145/1367497.1367569

Published: 21 April 2008 Publication History

Abstract

As wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users from network attackers, but real-world deployments must cope with misconfigured servers, causing imperfect web sites and users to compromise browsing sessions inadvertently. ForceHTTPS is a simple browser security mechanism that web sites or users can use to opt in to stricter error processing, improving the security of HTTPS by preventing network attacks that leverage the browser's lax error processing. By augmenting the browser with a database of custom URL rewrite rules, ForceHTTPS allows sophisticated users to transparently retrofit security onto some insecure sites that support HTTPS. We provide a prototype implementation of ForceHTTPS as a Firefox browser extension.

References

[1]

Bank of America SiteKey. http://www.bankofamerica.com/privacy/sitekey/.

[2]

A. Barth, C. Jackson, and J. C. Mitchell. Session swapping: Login cross-site request forgery, March 2008. Manuscript.

[3]

M. Beltzner et al. Create preference which restores per-page ssl error override option for it professionals. https://bugzilla.mozilla.org/show_bug.cgi?id=399275.

[4]

Chase. Increased security. http://www.chase.com/ccpmapp/shared/assets/page/occ_alert.

[5]

R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI), 2006.

Digital Library

[6]

DNS Security Extensions. http://www.dnssec.net/.

[7]

E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach. Web Spoofing: An Internet Con Game. In 20th National Information Systems Security Conference, October 1997.

[8]

R. Fielding. Relative Uniform Resource Locators. IETF RFC 1808, June 1995.

Digital Library

[9]

C. A. B. Forum. Extended validation certificate guidelines. http://cabforum.org/EV_Certificate_Guidelines.pdf.

[10]

R. Graham. Sidejacking with Hamster, August 2007. http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html.

[11]

F. Hecker et al. Improve error reporting for invalid-certificate errors. https://bugzilla.mozilla.org/show_bug.cgi?id=327181.

[12]

C. Jackson and A. Barth. ForceHTTPS Firefox extension, 2008. https://crypto.stanford.edu/forcehttps.

[13]

T. Jim, N. Swamy, and M. Hicks. BEEP: Browser-enforced embedded policies. In Proceedings of the 14th International World Wide Web Conference (WWW), 2007.

Digital Library

[14]

N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In Proceedings of the IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm), 2006.

[15]

C. Karlof, U. Shankar, J. D. Tygar, and D. Wagner. Dynamic pharming attacks and locked same-origin policies for web browsers. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), November 2007.

Digital Library

[16]

E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In Proceedings of the 21st ACM Symposium on Applied Computing (SAC), 2006.

Digital Library

[17]

D. Kristol and L. Montulli. HTTP State Management Mechanism. IETF RFC 2109, February 1997.

Digital Library

[18]

G. Maone. NoScript. http://noscript.net/.

[19]

G. Markham. Content restrictions. http://www.gerv.net/security/content-restrictions/.

[20]

C. Masone, K.-H. Baek, and S. Smith. Wske: Web server key enabled cookies. In Proceedings of Usable Security 2007 (USEC '07).

Digital Library

[21]

M. Pilgrim. GMailSecure, 2005. http://userscripts.org/scripts/review/1404.

[22]

S. E. Schechter. Storing HTTP security requirements in the domain name system, April 2007. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/att-0332/http-ssr.txt.

[23]

S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy.

Digital Library

[24]

Security Space and E-Soft. Secure server survey, May 2007. http://www.securityspace.com/s_survey/sdata/200704/certca.html.

[25]

S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by pharming. Technical Report 641, Indiana University Computer Science, Decenber 2006.

[26]

A. Tsow. Phishing with consumer electronics - malicious home routers. In Models of Trust for the Web Workshop at the 15th International World Wide Web Conference (WWW), 2006.

[27]

A. Tsow, M. Jakobsson, L. Yang, and S. Wetzel. Warkitting: the drive-by subversion of wireless home routers. Journal of Digital Forensic Practice, 1(2), November 2006.

[28]

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2007.

[29]

Wireshark: What's on your network? http://www.wireshark.org/.

[30]

Yahoo! Inc. What is a sign-in seal? http://security.yahoo.com/article.html?aid=2006102507.

Cited By

Wazan ALaborde RBenzekri ATaj I(2024)Article 45 of the eIDAS Directive Unveils the need to implement the X.509 4-cornered trust model for the WebPKIProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670900(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670900
Srivastava AShah P(2022)Identification of the Issues in IoT Devices with HSTS Not Enforced and Their Exploitation2021 International Conference on Security and Information Technologies with AI, Internet Computing and Big-data Applications10.1007/978-3-031-05491-4_33(325-334)Online publication date: 30-Nov-2022
https://doi.org/10.1007/978-3-031-05491-4_33
Eriksson BSabelfeld A(2020)AutoNav: Evaluation and Automatization of Web Navigation PoliciesProceedings of The Web Conference 202010.1145/3366423.3380207(1320-1331)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380207
Show More Cited By

Index Terms

Forcehttps: protecting high-security web sites from network attacks

Recommendations

Robust defenses for cross-site request forgery
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the ...
Dynamic pharming attacks and locked same-origin policies for web browsers
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-...
Protecting browsers from cross-origin CSS attacks
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '08: Proceedings of the 17th international conference on World Wide Web

April 2008

1326 pages

ISBN:9781605580852

DOI:10.1145/1367497

General Chairs:
Jinpeng Huai
Beihang University, China
,
Robin Chen
AT&T Labs, USA
,
Hsiao-Wuen Hon
Microsoft Research Asia, China
,
Yunhao Liu
HK University of Science and Technology, Hong Kong
,
Program Chairs:
Wei-Ying Ma
Microsoft Research Asia, China
,
Andrew Tomkins
Yahoo! Research, USA
,
Xiaodong Zhang
The Ohio State University, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '08

Sponsor:

ACM

WWW '08: The 17th International World Wide Web Conference

April 21 - 25, 2008

Beijing, China

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

58
Total Citations
View Citations
1,350
Total Downloads

Downloads (Last 12 months)33
Downloads (Last 6 weeks)2

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wazan ALaborde RBenzekri ATaj I(2024)Article 45 of the eIDAS Directive Unveils the need to implement the X.509 4-cornered trust model for the WebPKIProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670900(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670900
Srivastava AShah P(2022)Identification of the Issues in IoT Devices with HSTS Not Enforced and Their Exploitation2021 International Conference on Security and Information Technologies with AI, Internet Computing and Big-data Applications10.1007/978-3-031-05491-4_33(325-334)Online publication date: 30-Nov-2022
https://doi.org/10.1007/978-3-031-05491-4_33
Eriksson BSabelfeld A(2020)AutoNav: Evaluation and Automatization of Web Navigation PoliciesProceedings of The Web Conference 202010.1145/3366423.3380207(1320-1331)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380207
Fan MYu LChen SZhou HLuo XLi SLiu YLiu JLiu T(2020)An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps2020 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE5003.2020.00032(253-264)Online publication date: Oct-2020
https://doi.org/10.1109/ISSRE5003.2020.00032
Diaz-Sanchez DMarin-Lopez AMendoza FCabarcos PSherratt R(2019)TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure CommunicationsIEEE Communications Surveys & Tutorials10.1109/COMST.2019.291445321:4(3502-3531)Online publication date: Dec-2020
https://doi.org/10.1109/COMST.2019.2914453
Mendoza AChinprutthiwong PGu GChampin PGandon FMédini LLalmas MIpeirotis P(2018)Uncovering HTTP Header Inconsistencies and the Impact on Desktop/Mobile WebsitesProceedings of the 2018 World Wide Web Conference10.1145/3178876.3186091(247-256)Online publication date: 10-Apr-2018
https://dl.acm.org/doi/10.1145/3178876.3186091
Alashwali ERasmussen K(2018)On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain NameSecurity and Privacy in Communication Networks10.1007/978-3-030-01704-0_12(213-228)Online publication date: 29-Dec-2018
https://doi.org/10.1007/978-3-030-01704-0_12
Sebastian SChouhan R(2017)Privacy Preservation and Data Security on Internet Using Mutual SslOriental journal of computer science and technology10.13005/ojcst/10.01.3410:1(249-254)Online publication date: 22-Mar-2017
https://doi.org/10.13005/ojcst/10.01.34
Calzavara SFocardi RSquarcina MTempesta M(2017)Surviving the WebACM Computing Surveys10.1145/303892350:1(1-34)Online publication date: 6-Mar-2017
https://dl.acm.org/doi/10.1145/3038923
Chang LHsiao HJeng WKim TLin WBarrett RCummings RAgichtein EGabrilovich E(2017)Security Implications of Redirection Trail in Popular Websites WorldwideProceedings of the 26th International Conference on World Wide Web10.1145/3038912.3052698(1491-1500)Online publication date: 3-Apr-2017
https://dl.acm.org/doi/10.1145/3038912.3052698
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents