HTTPS Vulnerabilities Could Allow Attackers to Snoop on Your Data: Researchers

Share on Facebook Tweet Share Reddit Comment
HTTPS Vulnerabilities Could Allow Attackers to Snoop on Your Data: Researchers

Security researchers have found HTTPS vulnerabilities amongst top 10,000 websites on the Internet

Highlights
  • Security researchers have found HTTPS flaws in some of the top websites
  • Most of these flaws still remain undetected
  • Some flaws are minor while others have allow attackers to manipulate data

That little green padlock that appears on your browser's address bar looks reassuring. It means the website you're currently visiting uses HTTPS (Hypertext Transfer Protocol Secure) for a secure connection. HTTPS protects you against man-in-the-middle attacks, that ensures no one can see your passwords, search history, and other sensitive content. Almost all popular websites now use HTTPS to encrypt the data between your web browser and web servers it communicates with.

However, new research claims some websites using HTTPS are still leaving their connections exposed. Researchers at Ca' Foscari University of Venice in Italy and Tu Wien in Austria have analysed the top 10,000 websites that use HTTPS and found that nearly 5.5 percent of these are vulnerable to TLS (Transport Layer Security) exploits.

The communication protocol in HTTPS is encrypted using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). Researchers claim that the flaws they've discovered are a result of issues that crop up depending on how websites implement TLS encryption schemes. These websites may have also failed to patch known buds in TLS and SSL.

But when you're visiting such a website, the shiny green padlock will still appear on your browser's address bar. That's how subtle these flaws can be, they're hard to detect. These flaws normally go unnoticed, claim the security researchers who discovered them.

The flaws were discovered by using TLS analysis techniques to crawl and analyze the top 10,000 sites for TLS issues. The researchers picked up these websites from Alexa's ranking of top websites on the Internet.

These security flaws could potentially allow a malicious attacker to decrypt small information such as session cookies, but wouldn't be much useful in extracting something as sensitive as a password.

But there are some more 'leaky' flaws that could potentially allow attackers to decrypt almost all of the Web traffic passing between a browser and a Web server, according to the research paper.

Then there are 'tainted' vulnerabilities that could potentially enable attackers to decrypt and manipulate data being transferred between a browser and a web server. These man-in-the-middle attacks are exactly the reason why HTTPS was put into place.

Researchers claim that all the top 10,000 websites that were tested also include around 91,000 related domains. HTTPS vulnerabilities in these websites could increase the overall number of affected sites.

Vulnerabilities discovered that 898 websites, from the 10,000 total websites they tested, were fully compromisable while 977 websites presented low integrity pages. The full research paper will be presented at the 40th IEEE Symposium on Security and Privacy at San Francisco in May this year.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: HTTPS
Harpreet Singh Harpreet is the community manager at Gadgets 360. He loves all things tech, and can be found hunting for good deals when he’s not shopping online. More
Netflix’s Next Indian Film, Music Teacher, Gets April Release Date
Oppo Reno TENAA Listing Tips Specifications, Video Details Periscope Camera Design
 
 

Advertisement

 

Advertisement

© Copyright Red Pixels Ventures Limited 2019. All rights reserved.