Institute of Electrical & Electronic Engineers
In this paper, the authors argue that secure introduction via hyperlinks will be essential for distributing security policies on the web. The "Strict transport security" policy, which makes HTTPS mandatory for a given domain, can already be expressed by links with an https URL. They propose slinks, a set of lightweight HTML extensions to express more complex security policies in links such as key pinning. This is the simplest and most efficient way to secure connections to new domains before persistent security policy can be negotiated directly, requiring no changes to the user experience and aligning trust decisions with the user's mental model.