Friday, August 2, 2013

HTTPS and how websites aren't using it properly

Although my activity here with blogging has been quite slim with me devoting all of my time setting up Techman's World IRC, I was reading an article today about how some websites, even major ones, are misusing HTTPS for it's communications.

Many sites use HTTPS for secure transit of material across the internet. The difference of course from normal HTTP is that data sent over HTTP is unencrypted, and otherwise unprotected from anyone wanting to snoop. HTTPS data packets are of course encrypted, making it harder to view data while in transit. Not to say that the protection is not fool proof; there are some shortcomings of using SSL/TLS, but generally it's better to use it than not to use it.

Specifically, the article I was reading discussed how some HTTP sites that have HTTPS functionality still load over HTTP and serve login forms over HTTP. This might already sound like a big security risk, but the forms instead send all POST data over HTTPS. Essentailly, the web form to login is sent over HTTP, but the data sent from it (e.g. logging in) is over HTTPS.

Does it sound risky to you? Actually, it's a pretty big security risk. Before I get into explaining exactly what is bad with the method I just showed you, I wanted to show you an example of one of the most high profile sites on the internet serving login forms over HTTP, but sending data from the form in HTTPS: GoDaddy.

While I have covered it a bit in the past here on Techman's World, this time I'm putting it more in a negative light because of how it handles security. While the majority of folks can log in using a HTTPS page, the home page can still be loaded over HTTP, and subsequently a security risk.

It's kind of hard to describe how this experiment can be done, but I'll try my best with a screenshot:
In the above photo, notice how my mouse pointer is hovering over the URL of the entry that has the POST method right next to it. The posted data is sent over HTTPS, but since the form is loaded over HTTP it can be modified in transit so the attacker can actually change the URL that the form posts to..effectively making you post your login credentials to his/her server. What's worse is that you probably won't even notice what happened.

This is why web forms need to be loaded over a secure connection, so that the forms cannot be modified in transit, or otherwise it can't be tampered with. That way, you have a fully secure session with a server, instead of a potentially insecure one.

Hope you guys enjoyed this informative article. Sorry about not I have said before I am working on building the chat network. I worked on installing a few new servers in yesterday, so if you want to check it out, or see what I am doing in real time, hit the chat button at the top.

Also, I encourage that you guys tweet this to +GoDaddy on Twitter and Google+ so they can see this, and improve their own system because I used them as a great example.