On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name

TL;DR

This paper proposes a mechanism for web browsers to apply fine-grained, domain-sensitive TLS security configurations based on domain sensitivity, enhancing security for sensitive sites while maintaining compatibility for others.

Contribution

It introduces a domain-based TLS configuration approach and demonstrates its feasibility through a Firefox extension implementation.

Findings

Feasible to implement fine-grained TLS configurations in browsers.

Enhanced security for sensitive domains without sacrificing compatibility.

Potential for standardization as a browser security feature.

Abstract

Most modern web browsers today sacrifice optimal TLS security for backward compatibility. They apply coarse-grained TLS configurations that support (by default) legacy versions of the protocol that have known design weaknesses, and weak ciphersuites that provide fewer security guarantees (e.g. non Forward Secrecy), and silently fall back to them if the server selects to. This introduces various risks including downgrade attacks such as the POODLE attack [15] that exploits the browsers silent fallback mechanism to downgrade the protocol version in order to exploit the legacy version flaws. To achieve a better balance between security and backward compatibility, we propose a mechanism for fine-grained TLS configurations in web browsers based on the sensitivity of the domain name in the HTTPS request using a whitelisting technique. That is, the browser enforces optimal TLS configurations for connections going to sensitive domains while enforcing default configurations for the rest of the connections. We demonstrate the feasibility of our proposal by implementing a proof-of-concept as a Firefox browser extension. We envision this mechanism as a built-in security feature in web browsers, e.g. a button similar to the \quotes{Bookmark} button in Firefox browsers and as a standardised HTTP header, to augment browsers security.