Derek Leung:

1. The authors observe that some sites which use HTTPS (for example, banking) are high-security sites which need all the security HTTPS can provide, while low-security sites use HTTPS only to protect against passive attackers. HTTPS certificate configuration errors are unimportant in the latter but extremely dangerous in the former, as it indicates the presence of a possible network attack. The authors propose that servers hosting high-security content set a cookie to indicate this fact. Users can set this configuration manually for sites that are high-security but lack that cookie. The browser then fails fast on HTTPS errors and refuses to make requests over unsecure HTTP.

2. Secure cookies protect against passive attackers because browsers refuse to send a cookie marked as Secure over the network in plaintext in HTTP connections. However, an active attacker will provide an invalid certificate when attempting to compromise a connection. If a user clicks through a certificate warning, the browser will temporarily trust the connection but send the Secure cookie to the potential attacker.

3. ForceHTTPS prevents the browser from sending Secure cookies when it encounters an invalid certificate.