Along time ago in a galaxy far, far away… HTTP was born. After a while, somebody decided they wanted to use the Internet to buy things. Someone else decided they wanted to send secret business emails. Another person went online and didn’t want people seeing what they browse in their spare time. So someone decided to add the letter S to the end of HTTP and everyone was happy.
Nowadays, everything takes place online. Bank accounts can be accessed, taxes can be filed, one quick click and you’ve sent a message to all your friends or co-workers. All that power behind a password. If you are like year-ago me, you have a roster of 3 or 4 passwords that you use on all these sites. No one can manage 30 different passwords for 30 different sites (unless they use management software like LastPass), so we are often left with our bank account having the same password as our email, or our Facebook password identical to our work password. Securing these passwords suddenly becomes priority #1.
On top of that, everyone has got to have WIFI. Imagine, if you will, that I own a shop. And in that shop, we provide WIFI to our customers. Everything that goes from that WIFI Hotspot to the Internet has to pass through me, which means I can see all those lovely passwords. I can see all those trade secrets you are emailing. I can see what websites you are spending your precious battery life viewing. I’m a nice guy, or maybe just a humble shopkeeper unaware of my potential power, so I don’t do this to you. At the same time, I don’t ever update my WIFI router’s firmware. I probably don’t know how to! I didn’t even know that there was an admin console on my WIFI router, let alone that I had to change the default password on it! Now someone else comes along and ‘takes control’ of my WIFI router and can view all my customer’s data.
It doesn’t even have to be bad WIFI router management. For under $100, anyone can build a pocket-sized device that will kick you off of whatever WIFI network your device is connected to, make a copy of the WIFI network, and have you re-connect, all without your knowledge as a user. Another scary thought: any user on the same network as you can potentially capture all your traffic with a $20 WIFI card and one free download.
Some people mitigate this risk by submitting passwords or other pieces of sensitive data over HTTPS. Now, someone doing a capture cannot see those credit card numbers or passwords. Great, we have solved half the problem. What about the malicious users who have intercepted and modified websites before the website has reached your computer? Don’t say this is far-fetched, like I said it would cost a malicious user <$100 to build a device that can do this. Any website that uses HTTP in any capacity is now vulnerable.
Let me explain:
A website is served over HTTPS. This website downloads a sidebar, image, or an iframe (anything, really) over HTTP. Common mistake. A malicious user can then inject scripts into the page to steal data and passwords. I found this exact issue two days ago while testing a
new product for a client. 30 minutes later and we had a password-harvesting WIFI hotspot for unsuspecting users to enjoy ‘free internet’ with.
Another common mistake: a website is served over HTTP, but the login button redirects to HTTPS, so passwords are always sent encrypted. A malicious user intercepts the initial HTTP page and removes the redirect to HTTPS. Now your passwords and credit cards are sent plain text and ready for stealing.
Basically, anything that is sent using HTTP in any capacity cannot be considered safe or secure. Anyone and their dog can easily see what you’re up to with minimal effort.
So why do we still use the insecure HTTP? Why not get rid of it? Unfortunately, a good quantity of websites out there still use HTTP. In fact, many people refuse to believe that HTTPS everywhere is necessary, as they do not understand the full risk. Some people don’t want to spend the time and money upgrading. Ask yourself: do I want to do business with a company that does not take the privacy of my data seriously? Remember, it might only be a password for a web forum, but can I guess your email password if I know your other passwords? Can I then reset your bank account password?
At that, I would like to call for the deprecation of HTTP. Generally things are deprecated when they become obsolete or a security risk. In this case, HTTP is both. HTTPS can provide better security (anything is better than none) and is already widely supported across the globe.
Please, web administrators of the world, redirect your HTTP traffic to HTTPS. Do us and yourself the favor before you become the next breach on Krebs. Little guys are often hit hardest as hackers see them as easy targets. Don’t think you are exempt.
Note: There are many ways for data to be stolen outside of what we call man-in-the-middle attacks, such as bad data management on a server, SQL and code injections, phishing (look-a-like webpages), and many other methods. This article is an attempt to knock one of those methods off the list, and is by no means exhaustive.
Note 2: For simplicity’s sake, I am referring to HTTP and HTTPS as two separate things. In actuality, HTTPS is just HTTP wrapped in SSL/TLS (encryption and authentication, etc). I would like to clarify that I am not calling for a deprecation of HTTP as a standard, as that would inherently include HTTPS, but of the plaintext usage of HTTP seen around the web today.
Note 3: for some examples of MITM attacks, visit some of these links below:
- Troy Hunt: Your login form posts to HTTPS, but you blew it when you loaded it over HTTP
- Troy Hunt: SSL is not about encryption
That’s all for today! Feel free to comment or as any questions below! Thanks for your time!