Posted by David Leo on Mar 23

To secure browser which is very fragile, the approach of HTTPS Only 3.1 is exceptionally simple:
1. Only HTTPS URLs(no other protocols)
2. Whitelist of domains(anything outside of whitelist is blocked)

Now, let’s look at threats:
1. Man in the middle – it’s fixed.
2. Phishing always requires the browser to load attacker’s website, so it’s permanently dead here.
3. Drive-by Download – dead(if applied strictly, unable to…