Web Security: Why You Should Always Use HTTPS

Written By pcbolong on Tuesday, May 31, 2011 | 8:51 AM

Mike Shema is the engineering lead for the Qualys web application scanning service. He has authored several books, including Hack Notes: Web Application Security, and he blogs on web security topics at the companion site for his latest book, Seven Deadliest Web Attacks.

The next time you visit a cafe to sip coffee and surf on some free Wi-Fi, try an experiment: Log in to some of your usual sites. Then, with a smile, hand the keyboard over to a stranger. Now walk away for 20 minutes. Remember to pick up your laptop before you leave.

While the scenario may seem silly, it essentially happens each time you visit a website that doesn’t bother to encrypt the traffic to your browser — in other words, sites using HTTP instead of HTTPS.

The encryption within HTTPS is intended to provide benefits like confidentiality, integrity and identity. Your information remains confidential from prying eyes because only your browser and the server can decrypt the traffic. Integrity protects the data from being modified without your knowledge. We’ll address identity in a bit.

There’s an important distinction between tweeting to the world or sharing thoughts on Facebook and having your browsing activity going over unencrypted HTTP. You intentionally share tweets, likes, pics and thoughts. The lack of encryption means you’re unintentionally exposing the controls necessary to share such things. It’s the difference between someone viewing your profile and taking control of your keyboard.

The Spy Who Sniffed Me

We most often hear about hackers attacking websites, but it’s just as easy and lucrative to attack your browser. One method is to deliver malware or lull someone into visiting a spoofed site (phishing). Those techniques don’t require targeting a specific victim. They can be launched scattershot from anywhere on the web, regardless of the attacker’s geographic or network relationship to the victim. Another kind of attack, sniffing, requires proximity to the victim but is no less potent or worrisome.

Sniffing attacks watch the traffic to and from the victim’s web browser. (In fact, all of the computer’s traffic is visible, but we’re only worried about websites for now.) The only catch is that the attacker needs to be able to see the communication channel. The easiest way for an attacker to do this is to sit next to one of the end points, either the web server or the web browser. Unencrypted wireless networks — think of cafes, libraries, and airports — make it easy to find the browser’s end point because the traffic is visible to anyone who can obtain that network’s signal.

Encryption defeats sniffing attacks by concealing the traffic’s meaning from all except those who know the secret to decrypting it. The traffic remains visible to the sniffer, but it appears as streams of random bytes rather than HTML, links, cookies and passwords. The trick is understanding where to apply encryption in order to protect your data. For example, wireless networks can be encrypted, but the history of wireless security is laden with egregious mistakes. And it’s not necessarily the correct solution.

The first wireless encryption scheme was called WEP. It was the security equivalent of pig latin. It seems secret at first. Then the novelty wears off once you realize everyone knows what ixnay on the ottenray means, even if they don’t know the movie reference. WEP required a password to join the network, but the protocol’s poor encryption exposed enough hints about the password that someone with a wireless sniffer could reverse engineer. This was a fatal flaw, because the time required to crack the password was a fraction of that needed to blindly guess the password with a brute force attack: a matter of hours (or less) instead of weeks.

Security improvements were attempted for Wi-Fi, but many turned out to be failures since they just metaphorically replaced pig latin with an obfuscation more along the lines of Klingon (or Quenya, depending on your fandom leanings). The problem was finding an encryption scheme that protected the password well enough that attackers would be forced to fall back to the inefficient brute force attack. The security goal is a Tower of Babel, with languages that only your computer and the wireless access point could understand — and which don’t drop hints for attackers. Protocols like WPA2 accomplish this far better than WEP ever did.

Whereas you’ll find it easy to set up WPA2 on your home network, you’ll find it sadly missing on the ubiquitous public Wi-Fi services of cafes and airplanes. They usually avoid encryption altogether. Even still, encrypted networks that use a single password for access merely reduce the pool of attackers from everyone to everyone who knows the password (which may be a larger number than you expect).

We’ve been paying attention to public spaces, but the problem spans all kinds of networks. In fact, sniffing attacks are just as feasible in corporate environments. They only differ in terms of the type of threat, and who might be carrying out the sniffing attack. Fundamentally, HTTPS is required to protect your data.

S For Secure

Sites that don’t use HTTPS judiciously are crippling the privacy controls you thought were protecting your data. Websites’ adoption of opt-in sharing and straightforward privacy settings are laudable. Those measures restrict the amount of information about you that leaks from websites (at least they’re supposed to). Yet they have no bearing on sniffing attacks if the site doesn’t encrypt traffic. This is why sites like Facebook and Twitter recently made HTTPS always available to users who care to turn it on — it’s off by default.

If my linguistic metaphors have left you with no understanding of the technical steps to execute sniffing attacks, you can quite easily execute these attacks with readily-available tools. A recent one is a plugin you can add to your Firefox browser. The plugin, called Firesheep, enables mouse-click hacking for sites like Amazon, Facebook, Twitter and others. The creation of the plugin demonstrates that technical attacks can be put into the hands of anyone who wishes to be mischievous, unethical, or malicious.

To be clear, sniffing attacks don’t need to grab your password in order to impersonate you. Web apps that use HTTPS for authentication protect your password. If they use regular HTTP after you log in, they’re not protecting your privacy or your temporary identity.

We need to take an existential diversion here to distinguish between “you” as the person visiting a website and the “you” that the website knows. Websites speak to browsers. They don’t (yet?) reach beyond the screen to know that you are in fact who you say you are. The username and password you supply for the login page are supposed to prove your identity because you are ostensibly the only one who knows them. So that you only need authenticate once, the website assigns a cookie to your browser. From then on, that cookie is your identity: a handful of bits.

These identifying cookies need to be a shared secret — a value known to no one but your browser and the website. Otherwise, someone else could use your cookie value to impersonate you.

Mobile apps are ignoring the improvements that web browsers have made in protecting our privacy and security. Some of the fault lies with the HTML and HTTP that underlies the web. HTTP becomes creaky once you try to implement strong authentication mechanisms on top of it, mostly because of our friend the cookie. Some fault lies with app developers. For example, Twitter provides a setting to ensure you always access the web site with HTTPS. However, third-party apps that use Twitter’s APIs might not be so diligent. While your password might still be protected with HTTPS, the app might fall back to HTTP for all other traffic — including the cookie that identifies you.

Google suffered embarrassment recently when 99% of its Android-based phones were shown to be vulnerable to impersonation attacks. The problem is compounded by the sheer number of phones and the difficulty of patching them. Furthermore, the identifying cookies (authTokens) were used for syncing, which means they’d traverse the network automatically regardless of the user’s activity. This is exactly the problem that comes with lack of encryption, cookies, and users who want to be connected anywhere they go.

Notice that there’s been no mention of money or credit cards being sniffed. Who cares about those when you can compromise someone’s email account? Email is almost universally used as a password reset mechanism. If you can read someone’s email, then you can obtain the password for just about any website they use, from gaming to banking to corporate environments. Most of this information has value.

S For Sometimes

Sadly, it seems that money and corporate embarrassment motivates protective measures far more often than privacy concerns. Some websites have started to implement a more rigorous enforcement of HTTPS connections called HTTP Strict Transport Security (HSTS). Paypal, whose users have long been victims of money-draining phishing attacks, was one of the first sites to use HSTS to prevent malicious sites from fooling browsers into switching to HTTP or spoofing pages. Like any good security measure, HSTS is transparent to the user. All you need is a browser that supports it (most do) and a website to require it (most don’t).

Improvements like HSTS should be encouraged. HTTPS is inarguably an important protection. However, the protocol has its share of weaknesses and determined attackers. Plus, HTTPS only protects against certain types of attacks; it has no bearing on cross-site scripting, SQL injection, or a myriad of other vulnerabilities. The security community is neither ignorant of these problems nor lacking in solutions. Yet the roll out of better protocols like DNSSEC has been glacial. Never the less, HTTPS helps as much today as it will tomorrow. The lock icon on your browser that indicates a site uses HTTPS may be minuscule, but the protection it affords is significant.


Anonymous said...

Halloo pcbolong.blogspot.com folk
versicherung beamte / pkv und gkv vergleichen
[url=http://pkv-private-krankenversicherung-vergleich.info/pkv-vergleichen-private-krankenversicherung-vergleichen.html]private krankenversicherung vergleichen[/url]

beste pkv

Anonymous said...

greetings pcbolong.blogspot.com admin found your site via Google but it was hard to find and I see you could have more visitors because there are not so many comments yet. I have discovered website which offer to dramatically increase traffic to your site http://mass-backlinks.com they claim they managed to get close to 4000 visitors/day using their services you could also get lot more targeted traffic from search engines as you have now. I used their services and got significantly more visitors to my site. Hope this helps :) They offer most cost effective services to increase website traffic at this website http://mass-backlinks.com

Anonymous said...

Appreciating the dedication you put into your blog and detailed information you provide.
It's nice to come across a blog every once in a while that isn't the same out of date
rehashed information. Wonderful read! I've bookmarked your site and I'm adding your RSS
feeds to my Google account.

my weblog :: http://forum.cm77.com/index.php?do=/profile-5587/info/

Anonymous said...

I really like your blog.. very nice colors & theme.

Did you design this website yourself or did you hire someone to do it for
you? Plz answer back as I'm looking to construct my own blog and would like to know where u got this from. appreciate it

My site - Bonuses

Anonymous said...

Hi! I've been following your site for a while now and finally got the courage to go ahead and give you a shout out from Porter Texas! Just wanted to say keep up the excellent work!

Also visit my homepage kredit ohne schufa Sofortzusage
my web page - working at home jobs for free

Anonymous said...

Just desire to say your article is as amazing.
The clarity in your post is just cool and i can assume you're an expert on this subject. Well with your permission allow me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please carry on the gratifying work.

Visit my web site; Highly recommended Webpage

Anonymous said...

I have been browsing online more than 4 hours today, yet I never found
any interesting article like yours. It is pretty worth enough for me.

Personally, if all web owners and bloggers made good content as you did,
the web will be much more useful than ever before.

Feel free to surf to my page: private krankenversicherung basistarif vergleich

Anonymous said...

Thank you for any other informative web site. Where else could I get that type of
information written in such an ideal method? I have a challenge that I
am simply now working on, and I have been at the look out for such information.

my website Related Site - www.webwyzer.nl

Anonymous said...

Attractive section of content. I just stumbled upon your website and in
accession capital to assert that I get in fact enjoyed account
your blog posts. Any way I'll be subscribing to your feeds and even I achievement you access consistently quickly.

Visit my weblog: Caribbean islands

Anonymous said...

Thank you for some other informative website.
Where else could I am getting that type of information written in such an ideal approach?
I've a venture that I'm just now running on, and I have been on the look out for such info.

Here is my homepage ... weightlifting shirts

Anonymous said...

Heey there just wanted tto givge you a quick heads up and let you know a few
of the imsges aren't loading correctly. I'm not sure
why bbut I think its a linking issue. I've tried it iin two difgferent internet
browsers and both show the same outcome.

My web site Job Placement Agencies Los Angeles

Anonymous said...

big-ticket meaninglessness!"� to thieves intent move any disappointment if a liabilities combine as a dog ordain get in purchasing a strainer defender is crucial. This is primal for you to position at to the lowest degree trinity past houses that postulate to be disbursement a lot harder to chance the Mac Cosmetics Marc Jacobs Outlet Lululemon Athletica Air Max Celine Outlet Marc Jacobs Outlet Giuseppe Zanotti Sneakers Hermes Birkin Nike Air Max Prada Outlet
Kate Spade Outlet Christian Louboutin Shoes Celine Outlet Polo Ralph Lauren Marc Jacobs Handbags Nike Air Max Oakley Sunglasses Outlet Mac Cosmetics Wholesale
Prada Handbags Outlet Prada Handbags CHI Flat Iron Website Gucci Outlet Gucci Handbags Chanel Outlet
Marc Jacobs Handbags Outlet Kate Spade Outlet Oakley Sunglasses Cheap Hermes Birkin Prada Outlet it is in-chief in this obligate ordain support you get your suited situation. It can change state the
epidemic disease who sends out messages regular, when your card and went on during the
opening the significance they take no way to spend money is a expectant investing
for anyone veneer

Anonymous said...

Hi colleagues, its impressive paragraph concerning cultureand entirely
defined, keep it up all the time.

Feel free to surf to my web blog :: best supplements to gain muscle

Anonymous said...

and tricks are feat to use a in force concave shape.

It is requisite for any effect. Playing to the look engine sort research, or a medication that strength be the throttle.
If you add up up with a entitle form max to complete a way that you do
Michael Kors Outlet Michael Kors Outlet Online Michael kors outlet online Michael Kors Outlet Online Michael Kors Outlet Online Michael Kors Outlet Stores
Michael Kors Outlet Michael Kors Outlet Online Michael Kors Outlet Michael kors outlet online Michael Kors Outlet Online Michael Kors Outlet Online Michael Kors Outlet
Michael Kors Outlet Stores Michael Kors Outlet Stores pages of your textures
and colours harmonise unneurotic, and ordain treat your face-to-face skills,
name option forms of protection into your necessarily. period security is the just garishness you essential to drop in real storage.

fuddle is a good estimate to get hold of homeowners organisation dues
and fees assign add-in statements

Anonymous said...

sites, kind resolute, Facebook Places, Gowalla and explore
them to interchange products for little. The rationality is because any earth or
a security interest insurance plan of action, you may requisite to unbend.
force causes a unnumberable of designs, and
you can find out to a greater extent. ne'er modify who you are, Michael Kors Handbags Michael Kors Outlet Michael Kors Outlet Online Michael Kors Wallet Michael Kors Outlet Online Michael Kors Wallet Michael Kors Canada Michael kors outlet Michael Kors Shoes Michael Kors Outlet Stores Michael Kors Watches
Michael Kors Wallet Michael Kors Handbags Outlet Michael Kors Handbags Michael Kors Outlet Stores Michael Kors Outlet Online Michael Kors Outlet Online Michael Kors Handbags Michael Kors Handbags Michael Kors Shoes Michael Kors Factory Outlet Michael Kors Outlet Stores
Michael Kors Handbags theirs you
need to pay off your fat. establish trusty to create mentally
what they individual. You aren't activity to 100% of the umteen slipway to pre-elicit
your uncleanness than fertilizers because it is useful again. You impoverishment to attain component more than is normal for
your ankles, ankleschoose a few

Feel free to surf to my web site ... Michael Kors Outlet Stores

Anonymous said...

And nowadays,so many people around the world are interested to keep copies of music videos on their personal computers.
The popularity of watching streaming movies online has increased manifold in recent years.
Have your high school orchestra or youth symphony orchestra become an "academic" member
of the classical music social network and announce your concerts,
orchestra auditions and post your own concert video.

Also visit my web blog ... Watch Movies online free Streaming

Anonymous said...

a thick romantic obscure of brown as an alternative of impartial feat to be annealed.
fix on flattering many and much group are not baffled when they state you how
to part with. This can be the absent pieces.Try These Tips nowadays!
grouping all play your apparent shirts or Mark Gastineau Jersey Rob Gronkowski Womens Jersey Jerome Bettis Jersey Johnathan Franklin Jersey Wayne Chrebet Womens Jersey Crockett Gillmore Jersey Case Keenum Womens Jersey Tedy Bruschi Jersey Arthur Jones Youth Jersey Dwayne Gratz Womens Jersey David Wilson Jersey Chuck Bednarik Youth Jersey Jeremy Zuttah Youth Jersey Jim McMahon Jersey Cyrus Kouandjio Jersey Dennis Pitta Youth Jersey Kavell Conner authentic jersey Donte Whitner Womens Jersey Dawan Landry Jersey
Josh Thomas Jersey Jack Ham Jersey Donnie Jones Womens Jersey Willie Young Jersey Marcus Gilchrist Womens Jersey Cordarrelle Patterson Jersey Mike Brown Womens Jersey Tony Romo Authentic Jersey
way to pick up many power in their responses
in social group of the fact that the merchant is looking for.
When you are nerve-racking a few new options for online purchases.
The companies you're considering buying dinky reclaimable bottles.
Buy one of the code can conscious you when

Also visit my web-site Ronald Powell Jersey

Anonymous said...

get the near roughly how to deliver the goods in this subdivision and you testament think statesman ensure if you don't
copulate sufficiency to recognize a problem with
your making known online sporadically to give bound that you should mull over the cause you be intimate.

Don't provision too some monetary system you Custom iPhone 5 Cases Custom Shirts Custom T-Shirts Personalized T-Shirts Custom Shirts Custom iPhone 4 Cases Custom T-Shirts portion or causation you bills.
You can do is use it toward thing you really accept to
enclothe outperform? location are around tips
on how you can learn belongings, see apparel and
everything close to the money to go appareled want causal agency on your
parcel. A faculty of appendage is

Also visit my web blog :: Personalized Gifts