Re: Cheaper than HTTPS?
I just thought of a partial solution. For static content only simply put a SHA value in the URL fragment. The fragment would need to follow a predefined format so browsers know what it is and means. The returning file is hashed and compared, if it differs then reject it. For ancillaries such as JS and SWF (both common attack vectors) this significantly limits damage. For destination addresses, the HTML pages themselves, then hashes are carried along with URLs in bookmarks and search engines. And the best part is no extra traffic is transmitted back to the server and existing proxies do nothing different and caching strategies are preserved.
Biting the hand that feeds IT
