The HyperText Transfer Protocol Secure transmission protocol, better known as HTTPS is now considered the standard for making the websites we visit every day more secure. Also thanks to the “big” push like Google, but not only, this protocol is gradually replacing the old HTTP, which over the years has proved increasingly vulnerable to hacker attacks.
In particular, HTTPS was created to defend users from the so-called man in the middle attacks, that is, attacks in which the hacker manages to interpose between the user and the website server by simulating the latter against the unsuspecting navigator. In this way the hacker becomes able to examine all the traffic and data exchanged between the user and the webserver he “impersonated”, thus managing to get his hands on sensitive information such as those of a banking transition or the name user and password needed to log in. The novelty of HTTPS compared to the previous HTTP, in fact, is the encryption of the data exchanged, carried out with the TLS protocol: Transport Layer Security. But is it really so secure a site that implements HTTPS?
Not always a site that implements the HTTPS protocol can be considered 100% safe, as evidenced by in-depth research carried out by researchers. The study scanned 10,000 websites with HTTPS, to be precise the first ten thousand for (detected traffic Amazon Alexa). Of these sites, 5.5% were affected by at least one vulnerability that could have allowed a hacker to steal part of the data (if not all) transmitted between user and server.
The vulnerabilities are of various types: some, slight, allow a malicious expert to intercept tracking cookies or a little more while other, much more serious, vulnerabilities allow the hacker a “man in the middle” attack. That is exactly what the HTTPS protocol should avoid. Finally, in some specific cases, the possibility was not only noticed of intercepting the data, but even of modifying it during the transit.
The 5.5% of ten thousand means few sites and of these just 292, in total, showed the most worrying vulnerabilities. The problem, however, is that most of these large sites analyzed by researchers in Venice and Vienna have a certain number of linked subdomains (generally used for the provision of specific services): 5,282 in total? And if the main domain is vulnerable, so is the linked subdomain.
A very interesting thing discovered during the analysis of these sites is that most browsers do not notice the vulnerabilities of the domains and continue to consider them safe, viewing the famous green padlock to the left of the web address. This leads the user to trust and use all the features of the site, including any online money transactions by credit card. This is mainly due to the fact that browsers often only verify the presence on the site of a valid HTTPS certificate issued by a certification authority such as VeriSign or Microsoft.
The researchers of the two universities prefer not to launch alarms and say that hardly any hacker will want to exploit the security bugs found in the analyzed sites. This is because an attack aimed at such defects in the implementation of the HTTPS protocol would still be less simple, faster and more effective than other techniques available today for stealing sensitive data from users. However, the problem remains even if it is not huge and the user has very little to do to protect himself.
The recommendation not to visit non-HTTPS websites is still valid, as well as that of never carrying out economic transactions or particularly sensitive data exchanges on simple HTTP sites. But each of us would expect that the HTTPS certification of a domain and its green padlock showing us the browser are a guarantee of security.
Unfortunately, once again, on the Internet nothing is absolutely safe and prudence always remains the golden rule because, to be honest, the HTTPS protocol has already been “bored” in the past. The most famous case is that of Heartbleed, a serious bug in the OpenSSL cryptography library (one of the libraries most used by the TLS protocol that is part of HTTPS) that put at risk between 2012 and 2014 millions of websites including those of giants such as Yahoo!, Tumblr and Flickr. In total, around 17% of sites that had implemented HTTPS at the time used OpenSSL and were vulnerable to an attack based on that platform. In that case it had to wait until June 2014 before the patch that blocked the Heartbleed flaw was implemented by all the sites interested in the problem.