An HTTP Extension for Secure Transfer of Confidential Data

Users´ confidential data in transit on the WWW are protected by the HTTP´s authentication scheme or the SSL protocol. However, the former has several weak points in terms of security, while the latter has a few problems against its wide deplotmemt. To alleviate the problems, we propose a scheme for user-initiated server authentication and two schemes for protecting against the cross-site-scripting (XSS) and cross-site reference forgery (XSRF) attacks. Server authentication fails when phishing, pharming, and MITM attacks are deployed, leading to the detection of those attacks. The protection schemes can thwart MITM, as well as XSS and XSRF. We integrate our schemes into the HTTP and extend the browser so that the user can start server authentication when a loaded Web page has a form for submitting data and the user notifies the browser that his/her submitting data are confidential. The browser invokes the protection schemes when the page has no submission form, since XSS and XSRF are deployed without the user´s awareness, i.e., without the submission form.