Computers are increasingly mobile and, to serve them, more and more public spaces (cafes, airports, libraries, etc.) offer their customers WiFi access. When a web browser on such a network requests a resource, it is implicitly trusting the hotspot not to interfere with the communication.\u00a0 A malicious computer hooked up to the network could alter the traffic, however, and this can have some unpleasant consequences.<\/p>\n
Consider your typical online banking session:\u00a0 you type “www.mybank.com” into the address bar, hit enter, and wait for the site to load.\u00a0 When it shows up, you enter your password, do your banking, then log out.\u00a0 This process is more-or-less automatic for many people, and the subtleties of the process disappear in the background.\u00a0 More specifically, these are the steps for logging into the bank’s site:<\/p>\n
It is only after the first few swift (and often unnoticed) steps that the user is presented with a secure connection.\u00a0 In a rogue hotspot, “www.mybank.com” might resolve to an attacker’s server (instead of the real thing) and the HTTPS connection may never happen.\u00a0 Many users might not notice this and end up logging into an attacker’s website.<\/p>\n
HTTPS is intended for both channel encryption, to thwart eavesdroppers, and for server authentication.\u00a0 In the hotspot banking MITM situation, you may simply assume that no errors indicates a safe connection but in all reality the server has not been authenticated!\u00a0\u00a0 After all, you’re not presented with any warnings or UI indicators saying the site is an attack site.\u00a0 If you’re a diligent user, you can always click Firefox’s site identity button to find out whether or not the site has authenticated itself and whether it’s encrypting to prevent eavesdropping, of course.\u00a0 It’s hard to remember (and time consuming) to do that every time, especially when you’re used to logging into certain trustworthy sites automatically.\u00a0 And in fact, a fake bank’s site may even have a little lock icon next to the login box that assures the user he is logging into a secure site —\u00a0 many legitimate banking sites unfortunately do the same thing.<\/p>\n
To stop this kind of man-in-the-middle attack, where an HTTPS site is mimicked over HTTP, Collin Jackson and Adam Barth proposed something called ForceHTTPS<\/a> in 2008.\u00a0 This is a browser feature that allows web sites to tell a browser to always request it via HTTPS, and never unencrypted HTTP.\u00a0 It was intended to help eliminate the redirect from HTTP to HTTPS and minimize the chance of an insecure attack as described above.<\/p>\n We like the idea of ForceHTTPS and are working on implementing it as “ForceTLS” in Firefox with hopes it will reduce occurrences of MITM attacks and generally improve user security.\u00a0 We built an add-on as a first step prototype of the feature that works in a similar fashion to the original design by Jackson and Barth.\u00a0 Instead of using cookies, however, we’re asking sites to send an HTTP header “X-Force-TLS” with any securely-transmitted response.\u00a0 The name of this header will change in the future,<\/em> but for now we’re using “X-Force-TLS” as the experimental header that, when present, means:<\/p>\n ForceTLS can be used for more than just protection against evil hotspots; it can also be used to harden web applications against accidental unencrypted requests.\u00a0 Many popular web apps can be used over both secure HTTPS and insecure HTTP connections; while you’re given the choice to pick HTTPS instead of HTTP, it’s possible that a large web app might have a HTTP URI referenced from some subtle corner of its code (by accident of course), and with Force TLS employed, this would quietly get upgraded to HTTPS and prevent exposing any unencrypted data on the network.<\/p>\n Check out our prototype, and tell us what you think!\u00a0 The browser extension and source code are available on AMO (https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/12714<\/a>).<\/p>\n Sid Stamm\n
\nSecurinator<\/p>\n","protected":false},"excerpt":{"rendered":"