Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein (Mozilla Corporation), Thyla van der Merwey (ETH Zurich)

The number of websites that support encrypted and secure https connections has increased rapidly in recent years. Despite major gains in the proportion of websites supporting https, the web contains millions of legacy http links that point to insecure versions of websites. Worse, numerous websites often use http connections by default, even though they already support https. Establishing a connection using http rather than https has the downside that http transfers data in cleartext, granting an attacker the ability to eavesdrop, or even tamper with the transmitted data. To date, however, no web browser has attempted to remedy this problem by favouring secure connections by default.

We present HTTPS-Only, an approach which first tries to establish a secure connection to a website using https and only allows a fallback to http if a secure connection cannot be established. Our approach also silently upgrades all insecure http subresource requests (image, stylesheet, script) within a secure website to use the secure https protocol instead. Our measurements indicate that our approach can upgrade the majority of connections to https and therefore suggests that browser vendors have an opportunity to evolve their current connection model.

View More Papers

K-resolver: Towards Decentralizing Encrypted DNS Resolution

N.P. Hoang, I. Lin, S. Ghavamnia, M. Polychronakis

Read More

From WHOIS to WHOWAS: A Large-Scale Measurement Study of...

Chaoyi Lu (Tsinghua University; Beijing National Research Center for Information Science and Technology), Baojun Liu (Tsinghua University; Beijing National Research Center for Information Science and Technology; Qi An Xin Group), Yiming Zhang (Tsinghua University; Beijing National Research Center for Information Science and Technology), Zhou Li (University of California, Irvine), Fenglu Zhang (Tsinghua University), Haixin Duan…

Read More

Panel – Experiment Artifact Sharing: Challenges and Solutions

Moderator: Laura Tinnel (SRI International) Panelists: Clémentine Maurice (CNRS, IRIS); Martin Rosso (Eindhoven University of Technology); Eric Eide (U. Utah)

Read More

On the Insecurity of SMS One-Time Password Messages against...

Zeyu Lei (Purdue University), Yuhong Nan (Purdue University), Yanick Fratantonio (Eurecom & Cisco Talos), Antonio Bianchi (Purdue University)

Read More