Eavesdroppers have always been successful in stealing private and confidential information until extensive usage of HTTPS. Using HTTPS solved the problem by encrypting data before sending it over a network. Due to human habit, a user typically types the domain name in browser address bar for an initial request (e.g., http://domain). Then browser makes the initial request to http://domain. If the domain supports HTTPS, it redirects to https://domain. After this redirection, data is encrypted before sending over the network. Before this redirection, the connection is not encrypted, and the browser sends all HTTP header data as plain text.
Disadvantageously, an eavesdropper can steal data from the initial request before redirection to HTTPS. The kind of data present in the first HTTP initial request can include Cookies, User-Agent and Server Authentication Credentials, and the like. Cookies are extensively used to authenticate a user, store ads data, identification of the device and many more purposes. User-Agent information includes browser details, browser version, and Operating System (OS) information. User-Agent information can be used to devise an attack to the user machine with known and exposed issues with browser and OS and also zero-day attacks.
Many servers use the HTTP WWW-Authenticate mechanism to perform user authentication. Once the browser authenticates with the server, it caches the authentication and uses it for a subsequent request. The first initial request before the redirecting to HTTPS will include this information as well. Authorization header information can be exploited to attack server and user both. Many browsers have started preloading the list of domains that support HTTPS. As soon as a user types the domain in a browser address bar, the domain is replaced with https://domain, which makes the initial connection encrypted. This is referred to as HTTP Strict Transport Security (HSTS).
There are various problems with this approach. First, not all browsers or applications support HSTS. Second, the browser or application needs to store preloaded list on the user device, resulting in unnecessary memory utilization. Third, the browser or application does not have all domains in the preloaded list, e.g., domains are constantly being added to the Internet. Fourth, continuous browser or application updates are needed to push the preloaded list to billions or more user devices which are too intrusive. Fifth, by nature, the preloaded list is created by humans and prone to human error. Specifically, once an erroneous domain list is a push to the browser or application, it becomes a tedious, marathon task to fix.
A new more robust, less intrusive, manageable, and real-time solution is needed.