Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein (Mozilla Corporation), Thyla van der Merwey (ETH Zurich)

The number of websites that support encrypted and secure https connections has increased rapidly in recent years. Despite major gains in the proportion of websites supporting https, the web contains millions of legacy http links that point to insecure versions of websites. Worse, numerous websites often use http connections by default, even though they already support https. Establishing a connection using http rather than https has the downside that http transfers data in cleartext, granting an attacker the ability to eavesdrop, or even tamper with the transmitted data. To date, however, no web browser has attempted to remedy this problem by favouring secure connections by default.

We present HTTPS-Only, an approach which first tries to establish a secure connection to a website using https and only allows a fallback to http if a secure connection cannot be established. Our approach also silently upgrades all insecure http subresource requests (image, stylesheet, script) within a secure website to use the secure https protocol instead. Our measurements indicate that our approach can upgrade the majority of connections to https and therefore suggests that browser vendors have an opportunity to evolve their current connection model.

View More Papers

PFirewall: Semantics-Aware Customizable Data Flow Control for Smart Home...

Haotian Chi (Temple University), Qiang Zeng (University of South Carolina), Xiaojiang Du (Temple University), Lannan Luo (University of South Carolina)

Read More

Demo #6: Impact of Stealthy Attacks on Autonomous Robotic...

Pritam Dash, Mehdi Karimibiuki, and Karthik Pattabiraman (University of British Columbia)

Read More

Trusted Verification of Over-the-Air (OTA) Secure Software Updates on...

Anway Mukherjee, Ryan Gerdes, and Tam Chantem (Virginia Tech)

Read More