TechGuard Blog

HTTPS: "Secure" Doesn't Always Mean "Secure"

Visualize yourself standing in the middle of a crowd shouting out your personally identifiable information, your credit/debit card number and your home address. No one would ever risk doing this, because odds are in that crowd stands an opportunist who will capitalize on the situation and steal your information.However, when surfing the internet this precisely what we are risking. According to an annual survey conducted by analytics firm comScore and UPS found that 51% of consumers make their purchases online, often using a smartphone. In addition to shopping, consider the number of people who pay their bills online. Now people can even check on medical tests by logging into portals set up by their doctor’s offices. While extremely convenient, is level of security in place enough?

Hyper Text Transfer Protocol (HTTP) is the protocol over which data is sent between your browser and a website. The HTTP protocol sends data in plain text across the internet. In a nutshell, this means anyone can intercept and view the information being transmitted. It would be a complete disaster if private or financial information were available to anyone monitoring web traffic. As a result, we use HTTPS to protect transactions of a private nature on the internet and because HTTP lacks any security, there is a movement away from it all together. In fact, Google has already switched their basic search page to HTTPS.


What is HTTPS


Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of the HTTP protocol. HTTPS pages typically use one of two protocols to encrypt communications between a browser and a website.

  • SSL (Secure Sockets Layer)
  • TLS (Transport Layer Security)

Web browsers such as Internet Explorer, Firefox and Chrome display a padlock icon in the address bar to visually indicate that there is an HTPPS connection. Additionally, some browsers have implemented color coding schemes to show the validity and safety of a website.


How Does it Work


The TLS and the SSL protocols use a Public Key Infrastructure (PKI). PKI is a system which utilizes two 'keys' to encrypt communications. Commonly referred to a 'public' key and a 'private' key. Any encryption done with one of the keys must be decrypted with the other. In other words, anything encrypted with the public key must be decrypted utilizing the private key and vice-versa.

The 'private' key is the proverbial key to the kingdom. It should be protected and only be accessible by the private key owner. Public keys are intended to be distributed to anybody needing to decrypt information encrypted with the private key.


Watch Out for a False Sense of Security


The ideas behind using HTTPS certificates are:

  • Sensitive personal and financial information (commonly referred to as Personal Identifiable Information (PII)), is encrypted and cannot be intercepted.
  • The website's domain ownership can be verified.
  • Consumers tend to trust sites that use HTTPS to protect their data. Visitors can verify you are a registered business and that you own the domain.

The reality is that no system is 100% secure.

  • Today, everyone should be using TLS 1.2 at a minimum. Flaws in older SSL and TLS versions make them vulnerable to various attacks such as Padding Oracle On Downgraded Legacy    Encryption (POODLE), Browser Exploit Against SSL/TLS (BEAST), Compression Ratio Info-leak Made Easy (CRIME), Heartbleed and more. There are other tools that can watch for HTTPS traffic, then transparently map those links into look-a-like destinations.
  • Certificate Authorities can be compromised, and/or bad certificates issued.


Determine the Type of Cipher Used to Encrypt the HTTPS Connection


Research which cipher is used and determine if updated versions of TLS are being used. If you use web browsers such as Internet Explorer, Chrome or Firefox; the instructions are similar and straightforward. Initially, enter the URL you want to check in the browser. Depending on the web browser, this can typically be done in 4 simple steps or less.


Internet Explorer Users:

  •   Right-click the page and select Properties.
  •   Look for the Connection section. This section will describe the version of TLS or SSL used.

Chrome Users:

  •   In the address bar, click the icon to the left of the URL.

Firefox Users:

  •   In the address bar, click the icon to the left of the URL.
  •   Click on More Information.
  •   Select the Security tab.
  •   Look for the Technical details section. This section will describe the version of TLS or SSL used.


10 Best Practices for Internet Security


All business should be on top of ensuring the encryption protocols are up to the highest standards. However, we as individuals should be proactive in protecting our information as well. Let’s be realistic though. If you are anything like me, you are not likely to take steps to determine the type of cipher used to encrypt the secure connection. Below are simple steps everyone should follow to stay secure online.

  1.   Use a personal firewall or anti-virus programs.
  2.   Keep up-to-date on installed security patches.
  3.   Turn off Sharing Settings when connecting to public Wi-Fi.
  4.   Turn off Wi-Fi when not in use. This action will prevent your device from automatically connecting to a network.
  5.   Watch out for malicious hot spots. The network could be set up by an attacker in an attempt to steal data.
  6.   Pay attention to the details. Watch out for suspicious domain names.
  7.   Don't do online banking or access sensitive data on public Wi-Fi (even if it uses HTTPS).
  8.   Use a VPN for additional privacy and security.
  9.   Setup and use Multi-Factor Authentication for your sensitive logins when available.
  10.   If anything looks suspicious, err on the side of caution. Awareness is your best defense.


Take Away


Proper encryption is vital to protecting data in transit. However, a data breach can occur with poorly configured servers. Remember, the use of HTTPS protocol vs. HTTP doesn't guarantee security. Use your best judgment and follow the best practices guidance. Flaws continue to surface; therefore businesses should continue to check the cipher used to encrypt the data to confirm it's the most updated and secure version. TechGuard can help identify and remediate vulnerabilities in the security configuration of your servers. Customers are more likely to trust and buy from sites that use HTTPS. Stories of attacks such as a BEAST attack remind us of the ever-present threats undiscovered vulnerabilities pose to sensitive data. Breaches are not just some unfortunate incident that happens to big companies. They impact small to mid-size businesses as well and often have devastating consequences. Security is a shared responsibility that we cannot take lightly.

Written by Melanie Nagel