ForceHTTPS - Protection against compromise browsing sessions

As wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users from network attackers, but real-world deployments must cope with misconfigured servers, causing imperfect web sites and users to compromise browsing sessions inadvertently. ForceHTTPS is a simple browser security mechanism that web sites or users can use to opt in to stricter error processing, improving the security of HTTPS by preventing network attacks that leverage the browser’s lax error processing. By augmenting the browser with a database of custom URL rewrite rules, ForceHTTPS allows sophisticated users to transparently retrofit security onto some insecure sites that support HTTPS

89ecb9b4341cfdf4be4bcd301d57ab23 ForceHTTPS Protection against compromise browsing sessions

ForceHTTPS currently can only be configured as extension for firefox browsers. Hope other browsers are also included soon.

ForceHTTPS is for everyone to protect from all type of HTTPS based network attack.

Protection against attacks:

Cross-Site Scripting (XSS).
Cross-Site Request Forgery (CSRF).
HTTP Response Splitting.
document.domain.

Why use ForceHTTPS?

Browsers accept broken certificates and allow embedding of insecure scripts for two reasons:

• Compatibility: Many web sites have incorrectly configured certificates and embed insecure scripts. A browser that enforces strict error processing is incompatible with these sites and will lose users to a more permissive browser.
• Unknown Intent: Some site owners intentionally use self-signed certificates and host portions of their site over HTTP because these mechanisms provide protection from passive attackers and they believe the risk of an active attack is outweighed by the cost of implementing HTTPS fully.

ForceHTTPS is not a defense against phishing, but it complementsmany existing phishing defenses, such as SiteKey,the Yahoo! Sign-in Seal, and Chase’s Activation Code, by instructing the browser to protect session integrity and long-lived authentication tokens.

ForceHTTPS comes with preconfigured protection for Gmail, PayPal, American Express, Bank of America, Chase, and Fidelity.

Download ForceHTTPS here

March 14, 2010 -- WebCastellum: An Open Source WAF!
January 8, 2010 -- iiScan – Identify Web Application Vulnerabilities!
March 11, 2010 -- OWASP CSRFTester: Test Applications for CSRF!
March 5, 2010 -- XAB: A Cross Site Scripting Anonymous Browser!
February 27, 2010 -- PenTestIT Post Of The Day: Cross Site Scripting Cheat Sheet For Filter Evasion!
February 4, 2010 -- UPDATE: CAT.NET 2.0 – Beta!
February 3, 2010 -- UPDATE: Nikto 2.1.1!
January 29, 2010 -- SecuBat – A Modular Web Vulnerability Scanner!
January 15, 2010 -- List of Free Web Application Scanners!

Tagged as: Cross-Site Request Forgery, cross-site scripting, ForceHTTPS, HTTP Response Splitting

Black: @sanyal, I do not know why is it not downloading the version 0.8 for you! We have this link from SF which will...
sanyal: Hi, The download link goes to sourceforge.net 0.7 version. Needs to point to 0.8
hideaki: There’s also xt_pknock which seems to capable of much more.
stacksmasher: Any word on a quick tutorial for this tool?
ne01982: No, I had written the supplied OEM code, But the site says that is a wrong OEM code. Thanks for your time
ne01982: Hi, M8s, I´m affraid, this code doesnt work. Thanks anyway. Regards
rcarter: “You have submitted an unknown OEM Code or no code at all.”

ForceHTTPS – Protection against compromise browsing sessions

Related Posts

Twitter

Tag Cloud

Archives

Meta

Recently Updated Posts

Recently Updated Pages

Feed Count:

Site Search:

Categories

Recent Comments

Most Viewed Pages