Web Security: Why You Should Always Use HTTPS

Written By pcbolong on Tuesday, May 31, 2011 | 8:51 AM

Mike Shema is the engineering lead for the Qualys web application scanning service. He has authored several books, including Hack Notes: Web Application Security, and he blogs on web security topics at the companion site for his latest book, Seven Deadliest Web Attacks.

The next time you visit a cafe to sip coffee and surf on some free Wi-Fi, try an experiment: Log in to some of your usual sites. Then, with a smile, hand the keyboard over to a stranger. Now walk away for 20 minutes. Remember to pick up your laptop before you leave.



While the scenario may seem silly, it essentially happens each time you visit a website that doesn’t bother to encrypt the traffic to your browser — in other words, sites using HTTP instead of HTTPS.

The encryption within HTTPS is intended to provide benefits like confidentiality, integrity and identity. Your information remains confidential from prying eyes because only your browser and the server can decrypt the traffic. Integrity protects the data from being modified without your knowledge. We’ll address identity in a bit.

There’s an important distinction between tweeting to the world or sharing thoughts on Facebook and having your browsing activity going over unencrypted HTTP. You intentionally share tweets, likes, pics and thoughts. The lack of encryption means you’re unintentionally exposing the controls necessary to share such things. It’s the difference between someone viewing your profile and taking control of your keyboard.


The Spy Who Sniffed Me


We most often hear about hackers attacking websites, but it’s just as easy and lucrative to attack your browser. One method is to deliver malware or lull someone into visiting a spoofed site (phishing). Those techniques don’t require targeting a specific victim. They can be launched scattershot from anywhere on the web, regardless of the attacker’s geographic or network relationship to the victim. Another kind of attack, sniffing, requires proximity to the victim but is no less potent or worrisome.

Sniffing attacks watch the traffic to and from the victim’s web browser. (In fact, all of the computer’s traffic is visible, but we’re only worried about websites for now.) The only catch is that the attacker needs to be able to see the communication channel. The easiest way for an attacker to do this is to sit next to one of the end points, either the web server or the web browser. Unencrypted wireless networks — think of cafes, libraries, and airports — make it easy to find the browser’s end point because the traffic is visible to anyone who can obtain that network’s signal.

Encryption defeats sniffing attacks by concealing the traffic’s meaning from all except those who know the secret to decrypting it. The traffic remains visible to the sniffer, but it appears as streams of random bytes rather than HTML, links, cookies and passwords. The trick is understanding where to apply encryption in order to protect your data. For example, wireless networks can be encrypted, but the history of wireless security is laden with egregious mistakes. And it’s not necessarily the correct solution.

The first wireless encryption scheme was called WEP. It was the security equivalent of pig latin. It seems secret at first. Then the novelty wears off once you realize everyone knows what ixnay on the ottenray means, even if they don’t know the movie reference. WEP required a password to join the network, but the protocol’s poor encryption exposed enough hints about the password that someone with a wireless sniffer could reverse engineer. This was a fatal flaw, because the time required to crack the password was a fraction of that needed to blindly guess the password with a brute force attack: a matter of hours (or less) instead of weeks.

Security improvements were attempted for Wi-Fi, but many turned out to be failures since they just metaphorically replaced pig latin with an obfuscation more along the lines of Klingon (or Quenya, depending on your fandom leanings). The problem was finding an encryption scheme that protected the password well enough that attackers would be forced to fall back to the inefficient brute force attack. The security goal is a Tower of Babel, with languages that only your computer and the wireless access point could understand — and which don’t drop hints for attackers. Protocols like WPA2 accomplish this far better than WEP ever did.

Whereas you’ll find it easy to set up WPA2 on your home network, you’ll find it sadly missing on the ubiquitous public Wi-Fi services of cafes and airplanes. They usually avoid encryption altogether. Even still, encrypted networks that use a single password for access merely reduce the pool of attackers from everyone to everyone who knows the password (which may be a larger number than you expect).

We’ve been paying attention to public spaces, but the problem spans all kinds of networks. In fact, sniffing attacks are just as feasible in corporate environments. They only differ in terms of the type of threat, and who might be carrying out the sniffing attack. Fundamentally, HTTPS is required to protect your data.

S For Secure



Sites that don’t use HTTPS judiciously are crippling the privacy controls you thought were protecting your data. Websites’ adoption of opt-in sharing and straightforward privacy settings are laudable. Those measures restrict the amount of information about you that leaks from websites (at least they’re supposed to). Yet they have no bearing on sniffing attacks if the site doesn’t encrypt traffic. This is why sites like Facebook and Twitter recently made HTTPS always available to users who care to turn it on — it’s off by default.

If my linguistic metaphors have left you with no understanding of the technical steps to execute sniffing attacks, you can quite easily execute these attacks with readily-available tools. A recent one is a plugin you can add to your Firefox browser. The plugin, called Firesheep, enables mouse-click hacking for sites like Amazon, Facebook, Twitter and others. The creation of the plugin demonstrates that technical attacks can be put into the hands of anyone who wishes to be mischievous, unethical, or malicious.

To be clear, sniffing attacks don’t need to grab your password in order to impersonate you. Web apps that use HTTPS for authentication protect your password. If they use regular HTTP after you log in, they’re not protecting your privacy or your temporary identity.

We need to take an existential diversion here to distinguish between “you” as the person visiting a website and the “you” that the website knows. Websites speak to browsers. They don’t (yet?) reach beyond the screen to know that you are in fact who you say you are. The username and password you supply for the login page are supposed to prove your identity because you are ostensibly the only one who knows them. So that you only need authenticate once, the website assigns a cookie to your browser. From then on, that cookie is your identity: a handful of bits.

These identifying cookies need to be a shared secret — a value known to no one but your browser and the website. Otherwise, someone else could use your cookie value to impersonate you.

Mobile apps are ignoring the improvements that web browsers have made in protecting our privacy and security. Some of the fault lies with the HTML and HTTP that underlies the web. HTTP becomes creaky once you try to implement strong authentication mechanisms on top of it, mostly because of our friend the cookie. Some fault lies with app developers. For example, Twitter provides a setting to ensure you always access the web site with HTTPS. However, third-party apps that use Twitter’s APIs might not be so diligent. While your password might still be protected with HTTPS, the app might fall back to HTTP for all other traffic — including the cookie that identifies you.

Google suffered embarrassment recently when 99% of its Android-based phones were shown to be vulnerable to impersonation attacks. The problem is compounded by the sheer number of phones and the difficulty of patching them. Furthermore, the identifying cookies (authTokens) were used for syncing, which means they’d traverse the network automatically regardless of the user’s activity. This is exactly the problem that comes with lack of encryption, cookies, and users who want to be connected anywhere they go.

Notice that there’s been no mention of money or credit cards being sniffed. Who cares about those when you can compromise someone’s email account? Email is almost universally used as a password reset mechanism. If you can read someone’s email, then you can obtain the password for just about any website they use, from gaming to banking to corporate environments. Most of this information has value.

S For Sometimes

Sadly, it seems that money and corporate embarrassment motivates protective measures far more often than privacy concerns. Some websites have started to implement a more rigorous enforcement of HTTPS connections called HTTP Strict Transport Security (HSTS). Paypal, whose users have long been victims of money-draining phishing attacks, was one of the first sites to use HSTS to prevent malicious sites from fooling browsers into switching to HTTP or spoofing pages. Like any good security measure, HSTS is transparent to the user. All you need is a browser that supports it (most do) and a website to require it (most don’t).

Improvements like HSTS should be encouraged. HTTPS is inarguably an important protection. However, the protocol has its share of weaknesses and determined attackers. Plus, HTTPS only protects against certain types of attacks; it has no bearing on cross-site scripting, SQL injection, or a myriad of other vulnerabilities. The security community is neither ignorant of these problems nor lacking in solutions. Yet the roll out of better protocols like DNSSEC has been glacial. Never the less, HTTPS helps as much today as it will tomorrow. The lock icon on your browser that indicates a site uses HTTPS may be minuscule, but the protection it affords is significant.

15 comments:

Anonymous said...

Halloo pcbolong.blogspot.com folk
versicherung beamte / pkv und gkv vergleichen
[url=http://pkv-private-krankenversicherung-vergleich.info/pkv-vergleichen-private-krankenversicherung-vergleichen.html]private krankenversicherung vergleichen[/url]


beste pkv
Alina

Anonymous said...

greetings pcbolong.blogspot.com admin found your site via Google but it was hard to find and I see you could have more visitors because there are not so many comments yet. I have discovered website which offer to dramatically increase traffic to your site http://mass-backlinks.com they claim they managed to get close to 4000 visitors/day using their services you could also get lot more targeted traffic from search engines as you have now. I used their services and got significantly more visitors to my site. Hope this helps :) They offer most cost effective services to increase website traffic at this website http://mass-backlinks.com

Anonymous said...

Appreciating the dedication you put into your blog and detailed information you provide.
It's nice to come across a blog every once in a while that isn't the same out of date
rehashed information. Wonderful read! I've bookmarked your site and I'm adding your RSS
feeds to my Google account.

my weblog :: http://forum.cm77.com/index.php?do=/profile-5587/info/

Anonymous said...

I really like your blog.. very nice colors & theme.

Did you design this website yourself or did you hire someone to do it for
you? Plz answer back as I'm looking to construct my own blog and would like to know where u got this from. appreciate it

My site - Bonuses

Anonymous said...

Hi! I've been following your site for a while now and finally got the courage to go ahead and give you a shout out from Porter Texas! Just wanted to say keep up the excellent work!

Also visit my homepage kredit ohne schufa Sofortzusage
my web page - working at home jobs for free

Anonymous said...

Just desire to say your article is as amazing.
The clarity in your post is just cool and i can assume you're an expert on this subject. Well with your permission allow me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please carry on the gratifying work.

Visit my web site; Highly recommended Webpage

Anonymous said...

I have been browsing online more than 4 hours today, yet I never found
any interesting article like yours. It is pretty worth enough for me.

Personally, if all web owners and bloggers made good content as you did,
the web will be much more useful than ever before.


Feel free to surf to my page: private krankenversicherung basistarif vergleich

Anonymous said...

Thank you for any other informative web site. Where else could I get that type of
information written in such an ideal method? I have a challenge that I
am simply now working on, and I have been at the look out for such information.


my website Related Site - www.webwyzer.nl

Anonymous said...

Attractive section of content. I just stumbled upon your website and in
accession capital to assert that I get in fact enjoyed account
your blog posts. Any way I'll be subscribing to your feeds and even I achievement you access consistently quickly.

Visit my weblog: Caribbean islands

Anonymous said...

Thank you for some other informative website.
Where else could I am getting that type of information written in such an ideal approach?
I've a venture that I'm just now running on, and I have been on the look out for such info.


Here is my homepage ... weightlifting shirts

Anonymous said...

Heey there just wanted tto givge you a quick heads up and let you know a few
of the imsges aren't loading correctly. I'm not sure
why bbut I think its a linking issue. I've tried it iin two difgferent internet
browsers and both show the same outcome.

My web site Job Placement Agencies Los Angeles

Anonymous said...

Hi colleagues, its impressive paragraph concerning cultureand entirely
defined, keep it up all the time.

Feel free to surf to my web blog :: best supplements to gain muscle

yanmaneee said...

yeezy boost 350 v2
kenzo clothing
kd13
off white clothing
cheap jordans
curry 7 sour patch
yeezy boost 350 v2
curry 7 shoes
supreme outlet
kd shoes

cena said...

replica wholesale handbags luxury replica bags replica bags china

Anonymous said...

joy replica bags review replica bags paypal replica bags chicago