[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)
From: David Leo <david.leo () httpsonly ! net>
Date: 2016-03-23 8:58:43
Message-ID: 153a2b28d62.e8e8208655374.948840962540442210 () httpsonly ! net
[Download RAW message or body]
To secure browser which is very fragile, the approach of HTTPS Only 3.1 is exceptionally \
simple: 1. Only HTTPS URLs(no other protocols)
2. Whitelist of domains(anything outside of whitelist is blocked)
Now, let's look at threats:
1. Man in the middle - it's fixed.
2. Phishing always requires the browser to load attacker's website, so it's permanently dead \
here. 3. Drive-by Download - dead(if applied strictly, unable to download the executable)
4. Clickjacking - dead(attacker's web page is unreachable)
5. Address Spoofing - dead too(just unable to load the fake content)
6. XSS - almost dead(for attacker, the XSS vulnerability has to be GET, because POST requires \
attacker's HTML) 7. CSRF - almost dead(for attacker, the CSRF vulnerability has to be GET, and \
modern web applications simply don't do important things in GET, because it can be bookmarked \
etc, too dangerous)
URLs:
Project Home Page: https://www.httpsonly.net/
View Source Code: https://www.httpsonly.net/source/
Kind Regards,
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic