2008 Poster Sessions : ForceHTTPS: Protecting High-Security Web Sites from Network Attacks

Student Name : Adam Barth
Advisor : John Mitchell
Research Areas: Computer Systems
As wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users from network attackers, but real-world deployments must cope with misconfigured servers, causing imperfect web sites and users to compromise browsing sessions inadvertently.

ForceHTTPS is a simple browser security mechanism that web sites or users can use to opt in to stricter error processing, improving the security of HTTPS by preventing network attacks that leverage the browser's lax error processing. By augmenting the browser with a database of custom URL rewrite rules, ForceHTTPS allows sophisticated users to transparently retrofit security onto some insecure sites that support HTTPS. We provide an prototype implementation of ForceHTTPS as a Firefox browser extension.

Adam Barth is a fifth year Ph.D. student under John C. Mitchell. His research focuses on privacy languages and web security. Recently, he has been contributing code to Firefox and Safari to help improve the security policies of web browsers running on devices ranging from desktops to iPhones. When he's not alternately breaking and fixing the web, Adam enjoys reading classic Russian novels, climbing mountains, and watching Superbowl commercials.