Background Information
The subject matter described herein relates generally to internet browsing and, more particularly, to secure mode browsing.
Related Technology
Open wireless networks may be provided by businesses to provide an internet connection to customers. A user may utilize a personal device, (e.g. a laptop, a mobile phone, a tablet, etc.) to connect to a wireless network and browse the internet. Such open wireless networks may be left unencrypted or unsecured so that any user within proximity of the open wireless network may connect and utilize the internet without requiring special login credentials.
A problem with open wireless access points is that they are not encrypted, thereby making it possible for a malicious third party to hijack connections going to the access point to read and modify all the network traffic. Websites accessed via Hypertext Transfer Protocol (HTTP) send plain unencrypted network traffic to the user. A user browsing on an unencrypted or unsecured open wireless network runs the risk of having one's connection and activities over the internet eavesdropped or hijacked by a malicious third party. For example, browsing on untrusted or unencrypted open wireless networks may expose session cookies or data packets to sniffing, or having the session cookies or data packets eavesdropped by a third party. A user submitting login credentials for accessing personal information (e.g. e-mail, bank account information, online auctions, etc.), may have their credentials potentially stolen, or may have their activities monitored by the malicious third party. The malicious third party may even inject malicious content into the user's device as a user connects to the internet.
For example, there are programs directed to aiding hackers on open wireless networks to steal cookies that are visible on Hypertext Transfer Protocol (HTTP) connections. Stealing the cookies may allow a hacker to steal a user's logged in session for the website corresponding to the cookie. Such programs could thus be used to compromise social network accounts of users who were logged into the social network while connected on an open wireless access point.
Websites accessed via Hypertext Transfer Protocol Secure (HTTPS) utilize HTTP+SSL (Secure Socket Layer) cryptographic protection, which ensures that a malicious third party cannot see the traffic or modify it. Login pages may require a login and password to be sent over HTTPS to protect the credentials from being stolen. However, the login page may subsequently convert the login information to a session cookie that gets set on the user's browser, which may get sent as plain unencrypted traffic when HTTP connections are in use. Because the session cookie grants access to the user's account, having the session cookie transmitted as plain unencrypted traffic runs the risk of having the information eavesdropped by a malicious third party.
Users browsing on an open wireless access point by may utilize a Virtual Private Network (VPN). The VPN sends all network traffic (including web traffic) over an encrypted “tunnel”, preventing the traffic from being seen or modified by a malicious third party at the wireless access point. However, the user must completely trust the entity (e.g. a company, the administrator of a private server, etc.) that provides the VPN tunnel service. Furthermore, not everyone has a corporate VPN or is willing to pay to access one. Additionally, once the network traffic exits the VPN tunnel (e.g. at the company's VPN servers) the traffic is still subject to attack by any of the network points it travels through.
Users still want to be able to utilize these wireless access points securely, without worrying about having their privacy violated by a malicious third party. A solution without the above limitations is needed.