An HTTP Extension for Secure Transfer of Confidential Data

Users' confidential data in transit on the WWW are protected by the HTTP's authentication scheme or the SSL protocol. However, the former has several weak points in terms of security, while the latter has a few problems against its wide deplotmemt. To alleviate the problems, we propose a scheme for user-initiated server authentication and two schemes for protecting against the Cross-Site-Scripting (XSS) and Cross-Site Reference Forgery (XSRF) attacks. Server authentication fails when when phishing, pharming, and MITM attacks are deployed, leading to the detection of those attacks. The protection schemes can thwart MITM, as well as XSS and XSRF. We integrate our schemes into the HTTP and extend the browser so that the user can start server authentication when a loaded web page has a form for submitting data and the user notifies the browser that his/her submitting data are confidential. The browser invokes the protection schemes when the page has no submission form, since XSS and XSRF are deployed without the user's awareness, i.e., without the submission form.

[1]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[2]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[3]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[4]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.

[5]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[6]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[7]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[8]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[9]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[10]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[11]  Mike Shema Cross-Site Scripting , 2010 .

[12]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[13]  R. Iyer,et al.  Architectural impact of secure socket layer on Internet servers , 2000, Proceedings 2000 International Conference on Computer Design.

[14]  Daniel Massey,et al.  Protocol Modifications for the DNS Security Extensions RFC 4035 | NIST , 2005 .

[15]  Dave Taylor,et al.  Using SRP for TLS Authentication , 2001 .

[16]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[17]  Amir Herzberg Protecting web users from phishing, spoofing and malware , 2006 .

[18]  David Taylor,et al.  Using the Secure Remote Password (SRP) Protocol for TLS Authentication , 2007, RFC.

[19]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[20]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .