Use of HTTPS for securing the data in transmission from eavesdropping is well known.
The user can be sure that the data he is submitting is going over encrypted channel and is secure from sniffing.
Although it's secure but few factors can still be considered as major lapse in implementing HTTPS securely.All modern web browsers are willing to compromise the security of sites that use HTTPS in order to be compatible with sites that deploy HTTPS incorrectly.For example, if an active attacker presents a self-signed certificate, web browsers permit the user to click through a warning message and access the site despite the error.Certificate Errors happen due to Common-Name mismatch between the certificate name and hosting server;Self-signed certificates or expired certificates.This behavior compromises the confidentiality of the site's Secure cookies, which often store a second factor of authentication, and allows the attacker to hijack a legitimate user's session.
End-user being a novice in security knowledge will happily choose to accept the warning message and tend to perform his action.

A new technique for thwarting this kind of flaws has been proposed by Adam Barth and Collin Jackson as 'ForceHTTPS'.By setting a ForceHTTPS cookie, a site owner asks the browser to treat HTTPS errors as attacks, not as simple configuration mistake.
ForceHTTPS causes a browser to do the following:

1.All errors like self-signed certificate warning or common-name mismatch will terminate the SSL Session.

2.Non-HTTPS connections are redirected to HTTPS.

3.Attempts to embed insecure (non-HTTPS) content into
the site fail with network errors.

But the ForceHTTPS protects you against the active/passive sniffing and improper configured web certificates.
It does not address threats like Phishing and Malware/Browser Vulnerabilities.

Paypal has alreday implemented it and currently Firefox,Goolge Chrome and Noscript is implementing it.
ForceHTTPS uses 'Strict-Transport-Policy'(STS) header to implement the security.

STS server returns the following response header:

"Strict-Transport-Security" ":" "max-age" "=" delta-seconds [ ";" "includeSubDomains" ]

For more info visit:


Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection