SHS-HTTPS enforcer

Abstract

Web servers provide immunity against Man In The Middle (MITM) attacks and eavesdropping by using HTTP Strict Transport Security (HSTS) to force user agents to communicate only over HTTPS connections. However, the initial connection request from a user is made over an insecure HTTP connection. This issue was addressed by user agents; Google Chrome and Firefox, implicitly, by including a static list of URLs to be accessed only over secure HTTPS connections. Since, these user agents maintain their lists independently, the URLs used by one user agent are invisible to another. A user is prone to MITM attacks, especially in public hotspot environments, when accessing a URL present in the list of secure URLs of one browser but not in another, since the initial handshake from that user agent is insecure. Attacks can be initiated by modifying the outgoing HTTP packets and also the HTTPS response packets from the webserver. This motivated us to propose a solution independent of user agents, by merging the static URL lists of different user agents and enforcing HTTPS for all those URLs. In this paper, we propose a solution, SHSHTTPS Enforcer that introduces a local daemon to enforce URL redirection before the request flows out of the client for the URLs in a list compiled from multiple sources. The proposed solution has been demonstrated through a prototype implementation of the Squid Proxy server as our local daemon. The experiment was conducted by providing a URL, which was not present in one browser's list but was present in another browser's list. It was evident that SHS-HTTPS Enforcer enforced HTTPS successfully and MITM attacks were prevented.