A guided tour to approximate string matching
ACM Computing Surveys (CSUR)
Johnny 2: a user test of key continuity management with S/MIME and Outlook Express
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Why Johnny can't encrypt: a usability evaluation of PGP 5.0
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A Brief Introduction to Usable Security
IEEE Internet Computing
Analyzing websites for user-visible security design flaws
Proceedings of the 4th symposium on Usable privacy and security
| Hi-index | 0.24 |
HTTPS enables secure access to web content and web-based services. Although supported by many content and service providers, HTTPS is oftentimes not enabled by default, as pointed out in an open letter sent to Google by security experts. In this article, we discuss if and how web users can protect themselves by using HTTPS instead of HTTP. We show that many websites allow for accessing content by HTTPS instead of HTTP. However, HTTPS access must be manually configured or requested by the user, or is impossible at all, e.g., for embedded objects. For this reason, we explore how to protect users transparently by automatically using HTTPS whenever possible. In order to enable this approach, one needs to determine whether using HTTPS yields the same content as using HTTP, even in the presence of dynamic websites incorporating advertisements and news. We show that this decision is possible for entire websites like amazon.com in short time by combining a fast content comparison algorithm, result caching, and observations on the structure of the website. Besides the concrete HTTP use case considered in this article, our results are of independent interest for any setting in which content can be accessed by various means. Finally, we present and discuss different approaches for implementing automated protection of HTTP connections.