Protecting High-Security Web Sites
from Network Attacks
As wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users from network attackers, but real-world deployments must cope with misconfigured servers, causing imperfect web sites and users to compromise browsing sessions inadvertently. ForceHTTPS is a simple browser security mechanism that web sites or users can use to opt in to stricter error processing, improving the security of HTTPS by preventing network attacks that leverage the browser's lax error processing. By augmenting the browser with a database of custom URL rewrite rules, ForceHTTPS allows sophisticated users to transparently retrofit security onto some insecure sites that support HTTPS. We provide a prototype implementation of ForceHTTPS as a Firefox browser extension.
This paper presents the original ForceHTTPS protocol. In September 2009, PayPal published an updated version of the protocol. As of this writing (November 2009), the updated protocol has been adopted by Google Chrome and NoScript, and implementation is underway in Firefox. The Strict-Transport-Security header is in use on a number of high-security web sites, including PayPal.
PrototypeWe have implemented a prototype of ForceHTTPS as a browser extension. To use ForceHTTPS, you will need the following:
- Mozilla Firefox (Firefox 2 and Firefox 3 are both supported.)
- (beta; BSD license)
Please send us your feedback!