ForceHTTPS: Protecting High-Security Web Sites
from Network Attacks

Abstract

As wireless networks proliferate, web browsers operate in an increasinglyhostile network environment. The HTTPS protocol has the potential to protectweb users from network attackers, but real-world deployments must copewith misconfigured servers, causing imperfect web sites and users tocompromise browsing sessions inadvertently. ForceHTTPS is a simple browsersecurity mechanism that web sites or users can use to opt in to stricter errorprocessing, improving the security of HTTPS by preventing network attacksthat leverage the browser's lax error processing. By augmenting the browserwith a database of custom URL rewrite rules, ForceHTTPS allows sophisticatedusers to transparently retrofit security onto some insecure sites thatsupport HTTPS. We provide a prototype implementation of ForceHTTPS as aFirefox browser extension.

Paper

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks   Collin Jackson andAdam Barth InProceedings of the 17th International World Wide Web Conference (WWW2008) (Talk slides)

Current Status

This paper presents the original ForceHTTPS protocol. In September 2009,PayPal publishedanupdated version of the protocol. As of this writing (November 2009),the updated protocol has been adopted byGoogle Chrome andNoScript, andimplementation isunderway in Firefox. The Strict-Transport-Security header is in use ona number of high-security web sites, including PayPal.

Prototype

We have implemented a prototype of ForceHTTPS as a browser extension.To useForceHTTPS, you will need the following:

• Mozilla Firefox (Firefox 2 and Firefox 3 are both supported.)
• ForceHTTPS Installer(beta; BSD license)

ForceHTTPS comes with preconfigured protection forGmail,PayPal,American Express,Bank of America,Chase, and Fidelity.

Please send us your feedback!

People

• Collin Jackson
• Adam Barth

Related Projects

• Stanford Web Security
• Anti-Phishing Browser Extensions
• JSONRequest Browser Extension