Can internet users protect themselves? Challenges and techniques of automated protection of HTTP communication

HTTPS enables secure access to web content and web-based services. Although supported by many content and service providers, HTTPS is oftentimes not enabled by default, as pointed out in an open letter sent to Google by security experts. In this article, we discuss if and how web users can protect themselves by using HTTPS instead of HTTP. We show that many websites allow for accessing content by HTTPS instead of HTTP. However, HTTPS access must be manually configured or requested by the user, or is impossible at all, e.g., for embedded objects. For this reason, we explore how to protect users transparently by automatically using HTTPS whenever possible. In order to enable this approach, one needs to determine whether using HTTPS yields the same content as using HTTP, even in the presence of dynamic websites incorporating advertisements and news. We show that this decision is possible for entire websites like amazon.com in short time by combining a fast content comparison algorithm, result caching, and observations on the structure of the website. Besides the concrete HTTP use case considered in this article, our results are of independent interest for any setting in which content can be accessed by various means. Finally, we present and discuss different approaches for implementing automated protection of HTTP connections.