“HTTPS is said to be more secure and less prone to middle-man attacks, but new research says that’s not the case”
Researchers at Ca’ Foscari University of Venice, Italy and Tu Wien, Austria, have discovered that over 10,000 top websites, which are using HTTPS, are still vulnerable to Transport Layer Security exploits. HTTPS (Hypertext Transfer Protocol Security) replaced HTTP several years ago and is currently being used by most top websites, but has been found to be still not safe. HTTPS is supposed to protect users from man-in-the-middle attacks and not allow hackers to gain access to your passwords, history and other data.
The new research states that certain websites that use HTTPS to secure the connection between user and the web server, are still leaving some of the user data exposed to hackers. Out of the 10,000 websites that were analysed, about 5.5 percent were found to be vulnerable to exploits. HTTPS uses Transport Layer Security or TLS to encrypt communication. However, some websites aren’t implementing this protocol properly. These sites have failed to fix some known bugs with TLS.
However, the green padlock for HTTPS still appears in the address bar when users visit these websites. The bugs in TLS are very hard to detect, but they are still there and can potentially be exploited. The researchers used a TLS analysis technique to analyse the top 10,000 websites. They used Alexa’s ranking list to find these websites. The research paper will be presented at the 40th IEEE Symposium on Security and Privacy, which will be held at San Francisco in May.
The flaws can be used by an attacker to decrypt information from cookies. Although cookies won’t provide any sensitive information to the attacker, there are other flaws that will. The attacker can gain access to pretty much all the data that is exchanged between the browser and a server. This is the main reason why HTTPS was used instead of HTTP, but it seems like it may still not be doing the best job.
It is important to note that the 10,000 websites that were tested are also linked to about 91,000 domains. The vulnerabilities could affect these websites as well. Of the 10,000 websites, 898 sites were fully vulnerable and entire data was found to be compromised. Another 977 websites had low integrity pages, which is again a very big issue.
