Hello all! http://seclists.org/fulldisclosure/2016/Mar/77 HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)
------------------------------------------------------------------------ From: David Leo <david.leo () httpsonly net> Date: Wed, 23 Mar 2016 01:58:43 -0700 ------------------------------------------------------------------------ To secure browser which is very fragile, the approach of HTTPS Only 3.1 is exceptionally simple: 1. Only HTTPS URLs(no other protocols) 2. Whitelist of domains(anything outside of whitelist is blocked) Now, let's look at threats: 1. Man in the middle - it's fixed. 2. Phishing always requires the browser to load attacker's website, so it's permanently dead here. 3. Drive-by Download - dead(if applied strictly, unable to download the executable) 4. Clickjacking - dead(attacker's web page is unreachable) 5. Address Spoofing - dead too(just unable to load the fake content) 6. XSS - almost dead(for attacker, the XSS vulnerability has to be GET, because POST requires attacker's HTML) 7. CSRF - almost dead(for attacker, the CSRF vulnerability has to be GET, and modern web applications simply don't do important things in GET, because it can be bookmarked etc, too dangerous) URLs: Project Home Page: https://www.httpsonly.net/View Source Code: https://www.httpsonly.net/source/ Kind Regards, I'm not the owner of this software, just wanted to share the idea. Have a nice day!
