Story image

Blog: Truth, fiction and HTTPS

13 Oct 09

One of the tips we frequently see given regarding phishing (and other related Internet attacks) is the importance of checking in the address bar for the presence of the HTTPS protocol to access web sites where you enter personal information.Although this advice still holds true, it is very frequently misinterpreted as meaning that "whenever a site has HTPPS, it’s safe."Without going into too much detail, HTTPS (HyperText Transfer Protocol Secure) is intended to ensure that the information transmitted from a user’s computer to a remote website is encrypted during transmission. An analogy might be that if you were sending a letter, the protocol would be like a sealed envelope that guarantees that the contents can’t be read by anyone until it reaches the recipient.However, once information reaches the web server, it is no longer encrypted. Therefore, if the server belongs to an attacker rather than the legitimate individual or organisation you think you’re sending information to, it’s easy for him to read this information. For various reasons, malicious web servers have generally had to work directly with the HTTP protocol, where information in transit is not encrypted. This is why the advice is so commonly given to check which protocol is being used. However, while it doesn’t commonly happen, an attacker can use the HTTPS protocol on a false (spoofed) or malicious website. To return to our postal analogy, it doesn’t matter if the envelope keeps the letter’s contents secret in transit if the person who eventually receives it has malicious intentions, because there’s nothing to stop them opening the envelope.Further to this idea, many people will have read the news this week that Internet Explorer is to support free certificates.  StartCom (a company that provides SSL certificates for free) has been added as a valid certifying authority to the Internet Explorer browser. As The H (a major source of security information in Europe) explains, StartCom certificates are now pre-installed as root certificates in Microsoft’s operating system, so that Internet Explorer now accepts StartCom certificates  "without prompting the user or requiring any special configurations for the certificates. Third-party programs that use the operating system’s certificate memory will also accept the certificates without asking further questions."One of the main reasons that attackers don’t purchase SSL certificates has, historically, been its cost (and the need to provide information when applying to buy them). The opportunity of getting certificates for free provides a significant potential opportunity for attackers. They can now register a domain, create an email account and set up malicious servers to work with the HTTPS protocol (and a valid certificate). Thus, if potential victims see the all-important letter "S" (httpS), and this persuades them that the web site is safe, this will provide attackers with a great opportunity to commit some form of malicious act.Reading the Startcom post in which the news was announced, it is important to mention that other browsers (like Google Chrome or Firefox – see picture) already accept Startcom’s free certificates from the company.https2Although we’ve specifically considered the possibility that an attacker might install a server with HTTPS legitimately, it’s worth mentioning that other attack vectors have existed previously that simulate the existence of a secure protocol: consider, for instance, the research work carried by Moxie Marlinspike (Null Attacks Against Prefix SSL Certificates [http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf]).In summary:- "When you access a site that presents a form where you enter personal information, you should verify that it uses the HTTPS protocol" -> TRUE- "A place where you enter sensitive information and that does not have HTTPS is not safe" -> TRUE- "Using the HTTPS protocol, information is transmitted encrypted" -> TRUE- "Whenever a site has HTTPS, it can be considered safe" -> FALSECertainly you should verify that sites where you are expected to enter sensitive information use a secure protocol to preserve confidentiality.  However, the existence of a safe protocol certainly doesn’t prove that you are connected to a safe, non-malicious website. Sebastián BortnikSecurity AnalystESET Latin-America

DigiPlex’s data centre heat reuse system wins award
Its solution to reuse heat to warm thousands of local homes took out the accolade at the recent 2018 Energy Awards.
STT GDC to build hyperscale data centre in Singapore
ST Telemedia Global Data Centres (STT GDC) today unveiled ambitious plans for expansion with its largest data centre in Singapore to date.
Golden opportunities for enterprise e-waste reduction
E-waste is a hot topic in tech circles, and Park Place's EMEA MD believes there could be huge opportunities if data centres and enterprises improve their practices.
How Schneider Electric aims to simplify IT management
With IT Expert, Schneider Electric aims to ensure secure, vendor agnostic, wherever-you-go monitoring and visibility of all IoT-enabled physical infrastructure assets.
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Cisco dominates record-high Ethernet switch & router markets
While the market is flourishing, it’s tough-going as Cisco has increased its majority share of the pie.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.