Open Mobile Menu

Blog

Filed In: Application Security, Security

HTTPS or Be Warned

Views: 228

Written By: Adam Caudill July 24, 2018

Today marks an important event in the security of the web – starting with today’s release of Chrome v68, the most popular browser in use today is warning users when they access a website over an insecure connection. While this is a small change to the user interface, it makes the dangers of insecure connections clear to users, even in cases where the website doesn’t collect information. It doesn’t matter if it’s a complex financial site or a single page site for an advertising campaign, everything needs to use HTTPS now.

While security professionals and privacy advocates have been warning about the issues with unsecured traffic for years, this makes that warning clear to users now, not just the website operator.

A Change for The Better

The user interface change, seen below, adds a “Not secure” prefix when a website is accessed over HTTP instead of HTTPS. This is easy for users to see, and should be readily noticed – and sure to raise questions when they see it. If you have any sites still operating over HTTP, now would be an excellent time to get TLS in place, and redirect all the HTTP traffic to the HTTPS version (and add a Strict-Transport-Security header while you’re at it, to make sure everything stays on HTTPS).

(Image Courtesy Google)

This change reinforces to both users and website operators that the days of an unencrypted web are over – there is simply too much risk involved (to both users and operators). Website operators that don’t use HTTPS by default need to act quickly to address these risks.

Why This Is Needed

Protecting traffic using TLS provides two major benefits for both users and site operators: privacy and integrity. These properties combine to ensure that the user knows that no one can see or modify their traffic.

Privacy

TLS encrypts data between the browser and the server, ensuring that third-parties (ISP, local network operators, local network users, etc.) aren’t able to see private information such as credentials or cookies. This has been weaponized in many ways, perhaps most famously as Firesheep, an add-on for Firefox that made taking over accounts on popular services a simple experience.

Firesheep helped to raise awareness of the dangers of transmitting cookies over an insecure connection, even when credentials were passed over secure connections – as well as the risks that are present in public networks, such as café WiFi networks.

As the details of each request are encrypted, this also provides a level of privacy as to which pages the user views; the ISP will know the domain the user is connecting to, but can’t see which pages on that domain are being accessed.

Integrity

TLS also protects the integrity of the data being sent between the browser and server, ensuring that the data hasn’t been altered by any third-parties. There have been countless cases of ISPs injecting new content (such as messages or ads) into websites, and even some cases of ads being replaced with the ISPs own ads – generating revenue for the ISP while depriving revenue from the site operator.

This has also been weaponized to deliver targeted exploits to users, thus gaining control of their systems (and their networks) – the best-known example of this is QUANTUM INSERT. Leveraging network access to inject malicious JavaScript into the server’s response, via a man-on-the-side attack, allowing a website’s visitors to be targeted and attacked.

This type of attack in prevented by using TLS, as it ensures the integrity of the data being sent & received.

Moving Ahead

Now that users are being warned, it’s time to double check all of your websites to ensure that they are all using HTTPS by default, and correct any that don’t. Thankfully, between new tools and zero-cost certification authorities, it’s easier and cheaper than ever to deploy TLS to your systems. There’s also the option of routing your traffic through a CDN, and let them handle the front-end of the TLS connection. No matter how you do it, one thing is clear: it’s time for TLS everywhere.

Adam Caudill

Adam Caudill is a Senior Application Security Consultant. He is an expert in application security, with a specialty in applied cryptography; speaking regularly at industry events on topics from data protection to attack techniques. Adam has more than 15 years of experience in information technology, with responsibilities including systems administration, full-stack software development, architecture & system design, security code review, development and implementation of secure development standards, and penetration testing. He utilizes a combination of manual and automated techniques; often building or extending custom automated tools when existing solutions fall short.


Adam is a frequent contributor to open source projects, and maintains a number of security-related projects; from a tool to aid PCI auditors, to cryptography-related tools and libraries. His free time is spent writing about security and development, or working on new research. His writing and research has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.


Expertise

  • Web Application Security Assessment and Penetration Testing
  • Mobile Application Security Assessment and Penetration Testing (iOS & Android)
  • Cryptographic Design & Implementation Review
  • Application Security Code Review
  • Secure Application Development Practices
  • Application Development (C#, Ruby)
  • Security Training
  • Technical Writing and Presentation

Professional and Industry Affiliations

  • Open Web Application Security Project (OWASP), Member
  • BSides Knoxville Conference, Founder
  • Underhanded Crypto Contest, Founder

read more articles by Adam Caudill