By Topic

An HTTP Extension for Secure Transfer of Confidential Data

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

1 Author(s)
Takesue, M. ; Dept. Appl. Inf., Hosei Univ., Tokyo, Japan

Users' confidential data in transit on the WWW are protected by the HTTP's authentication scheme or the SSL protocol. However, the former has several weak points in terms of security, while the latter has a few problems against its wide deplotmemt. To alleviate the problems, we propose a scheme for user-initiated server authentication and two schemes for protecting against the cross-site-scripting (XSS) and cross-site reference forgery (XSRF) attacks. Server authentication fails when phishing, pharming, and MITM attacks are deployed, leading to the detection of those attacks. The protection schemes can thwart MITM, as well as XSS and XSRF. We integrate our schemes into the HTTP and extend the browser so that the user can start server authentication when a loaded Web page has a form for submitting data and the user notifies the browser that his/her submitting data are confidential. The browser invokes the protection schemes when the page has no submission form, since XSS and XSRF are deployed without the user's awareness, i.e., without the submission form.

Published in:

Networking, Architecture, and Storage, 2009. NAS 2009. IEEE International Conference on

Date of Conference:

9-11 July 2009