Story image

Blog: Truth, fiction and HTTPS

13 Oct 2009

One of the tips we frequently see given regarding phishing (and other related Internet attacks) is the importance of checking in the address bar for the presence of the HTTPS protocol to access web sites where you enter personal information.Although this advice still holds true, it is very frequently misinterpreted as meaning that "whenever a site has HTPPS, it’s safe."Without going into too much detail, HTTPS (HyperText Transfer Protocol Secure) is intended to ensure that the information transmitted from a user’s computer to a remote website is encrypted during transmission. An analogy might be that if you were sending a letter, the protocol would be like a sealed envelope that guarantees that the contents can’t be read by anyone until it reaches the recipient.However, once information reaches the web server, it is no longer encrypted. Therefore, if the server belongs to an attacker rather than the legitimate individual or organisation you think you’re sending information to, it’s easy for him to read this information. For various reasons, malicious web servers have generally had to work directly with the HTTP protocol, where information in transit is not encrypted. This is why the advice is so commonly given to check which protocol is being used. However, while it doesn’t commonly happen, an attacker can use the HTTPS protocol on a false (spoofed) or malicious website. To return to our postal analogy, it doesn’t matter if the envelope keeps the letter’s contents secret in transit if the person who eventually receives it has malicious intentions, because there’s nothing to stop them opening the envelope.Further to this idea, many people will have read the news this week that Internet Explorer is to support free certificates.  StartCom (a company that provides SSL certificates for free) has been added as a valid certifying authority to the Internet Explorer browser. As The H (a major source of security information in Europe) explains, StartCom certificates are now pre-installed as root certificates in Microsoft’s operating system, so that Internet Explorer now accepts StartCom certificates  "without prompting the user or requiring any special configurations for the certificates. Third-party programs that use the operating system’s certificate memory will also accept the certificates without asking further questions."One of the main reasons that attackers don’t purchase SSL certificates has, historically, been its cost (and the need to provide information when applying to buy them). The opportunity of getting certificates for free provides a significant potential opportunity for attackers. They can now register a domain, create an email account and set up malicious servers to work with the HTTPS protocol (and a valid certificate). Thus, if potential victims see the all-important letter "S" (httpS), and this persuades them that the web site is safe, this will provide attackers with a great opportunity to commit some form of malicious act.Reading the Startcom post in which the news was announced, it is important to mention that other browsers (like Google Chrome or Firefox – see picture) already accept Startcom’s free certificates from the company.https2Although we’ve specifically considered the possibility that an attacker might install a server with HTTPS legitimately, it’s worth mentioning that other attack vectors have existed previously that simulate the existence of a secure protocol: consider, for instance, the research work carried by Moxie Marlinspike (Null Attacks Against Prefix SSL Certificates []).In summary:- "When you access a site that presents a form where you enter personal information, you should verify that it uses the HTTPS protocol" -> TRUE- "A place where you enter sensitive information and that does not have HTTPS is not safe" -> TRUE- "Using the HTTPS protocol, information is transmitted encrypted" -> TRUE- "Whenever a site has HTTPS, it can be considered safe" -> FALSECertainly you should verify that sites where you are expected to enter sensitive information use a secure protocol to preserve confidentiality.  However, the existence of a safe protocol certainly doesn’t prove that you are connected to a safe, non-malicious website. Sebastián BortnikSecurity AnalystESET Latin-America

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Huawei to deploy Open Rack in all its public cloud data centres
Tech giant Huawei has unveiled plans to adopt Open Rack proposed by the Open Compute Project in its new public cloud data centres across the globe.
Beyond renewables: Emerging technologies for “greening” the data centre
Park Place Technologies’ CEO shares his views on innovations aside from renewable energy that can slim a data centre’s footprint.
Interxion’s David Ruberg wins Europe’s best data centre industry CEO
The European CEO Awards took place this week to celebrate the key figures at the helm of corporations that are driving innovation.
Opinion: 5G’s imminent impact on data centre infrastructure
Digital Realty’s Joseph Badaoui shares his thoughts on how 5G will transform data centre infrastructure now and beyond.
EMEA external storage market hits record high, Dell EMC on top
IDC's recent analysis on the external storage market in EMEA has shown healthy results - with some countries performing better than others - largely fuelled by all-flash arrays.
SolarWinds extends database anomaly detection
As organisations continue their transition from purely on-premises operations into both private and public cloud infrastructures, adapting their IT monitoring and management capabilities can pose a significant challenge.
Was Citrix unaware of its own data breach until the FBI got involved?
According to a blog post from Citrix’s CSIO Stan Black, the FBI contacted Citrix on March 6 and advised that international cybercriminals had allegedly gained access to Citrix’s internal network.