Akamai's HTTPS fail sets a bad example

Akamai's HTTPS fail sets a bad example

Summary: If your website doesn't use HTTPS by default, or if your certificate isn't properly configured, then you're not taking privacy seriously. In fact, you're part of the problem.

SHARE:
TOPICS: Security, Cloud
3
Akamai's HTTPS fail sets a bad example

"If your firm uses Akamai, know that they can't even be bothered to install a valid HTTPS cert for their own website," tweeted Christopher Soghoian, a technologist whose day job is with the American Civil Liberties Union (ACLU), on Tuesday. He's referring to the digital certificate, which, if it were valid, would confirm when you make an encrypted connection to the website that it's actually connecting to the right place — as opposed to being intercepted by an impostor.

Except it isn't, so it doesn't.

Soghoian is also clearly unimpressed with Akamai's response. Apparently, the certificate has been dodgy for months, and it has been told about it several times. "Thanks for noting, Chris. It's something we're actively addressing. Hope you'll let your followers know that, as well," tweeted Jamie Pappas, a social media consultant who's working with Akamai.

Now, in this particular instance, we're probably not connecting to an impostor. "You attempted to reach akamai.com, but instead you actually reached a server identifying itself as a248.e.akamai.net," says the warning in the Google Chrome web browser. I'm guessing that a248.e.akamai.net is a server in Akamai's cloud that's correctly serving out Akamai's website.

But that's only a guess. Little ol' a248.e could also be run by any one of Akamai's customers — or even hackers who've found their way into Akamai's infrastructure somehow — running a web proxy, intercepting my web traffic, or even loading my computer with malware, all while simultaneously showing me Akamai's site, or even just a convincing replica.

There's simply no way I can tell.

So I weigh the odds, chew my thumb, toss a coin, and click on "Proceed anyway".

It's a bad habit to be getting into. Once I start ignoring warnings in cases like this, I'll end up paying less attention to them, and I might start missing the times when I connect to examp1e.com instead of example.com — imagine what fun the bad guys will be able to have once Unicode is more widespread in domain names. Or I'll be tempted to skip over more serious warnings, such as expired certificates, or certificates that come from a less-than-reputable source.

Laziness, some might say? Inevitable, given human nature, a realist would say.

That's why Soghoian is right to be giving Akamai a slap. It's one of the world's largest content distribution networks — it claims to serve out 30 percent of all web traffic by volume — and yet, it hasn't bothered to get this basic bit of security configuration sorted out. That's the real laziness. And Akamai is far from being the only guilty party when it comes to this sort of thing. I'm embarrassed to admit it, but I'm guilty, too.

I suppose some will argue that it's all a fuss over nothing, that all I'm looking at is Akamai's public website, and there's nothing confidential about that. If I'm wanting to do something that needs security, like manage any Akamai services I might run, then I'd be using its control panel at control.akamai.com — and there the certificates are in order.

My counter-argument is that, as the revelations of Edward Snowden have shown us, anything and everything can be of value to an observer. It all adds up.

Indeed, when it comes to securing credit card data, the traditional use for HTTPS, I tend to agree with security megastar Gene Spafford: "Using encryption on the internet is the equivalent of arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench," he's been quoted as saying. The bad guys scoop up credit card numbers in bulk these days, and the banks have become very good at spotting fraudulent transactions, which means there's no value in picking off credit card numbers one at a time.

No, think instead about what you could learn by monitoring ordinary, unencrypted web browsing, perhaps by sniffing the hotel or airport Ethernet. Watch what academic papers the researcher is reading, revealing her company's plans for future products. Note the married businessman browsing an escort agency, providing an opportunity for blackmail. See the shipping company confirmation that the order will be delivered on Friday, meaning an opportunity to intercept and steal the package.

Any organisation that purports to care about their customers' privacy but doesn't use HTTPS is basically telling porkies — especially when certificates can be had for free, and even if you need to screw around with the approval process, it takes under an hour to configure it.

I've just added "Install HTTPS certificate" and "Enable HTTPS by default" as to-do list items for all the websites I'm personally responsible for. If you manage any websites, you should be doing the same.

Topics: Security, Cloud

About

Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • It isn't a bad certificate, though it IS misused.

    The error is that the certificate is being used by a machine on a different domain...

    And that can happen anytime there is an IP redirection to alternate hosts.

    Should the connection be trusted? nope. Everyone should instead contact the administrators at known sites (the sites are listed in the error) and tell them something is wrong with their configuration.

    The actual error is:

    "www.akamai.com uses an invalid security certificate.

    The certificate is only valid for the following names:
    *.akamaihd.net , *.akamaihd-staging.net , a248.e.akamai.net

    (Error code: ssl_error_bad_cert_domain)"
    jessepollard
  • What does ZDNet's website do when you type "https"?

    Question, what happens if you type "https://www.zdnet.com/" instead of "http://"?

    If it is the same thing as when you type "https://www.akamai.com/", perhaps ZDnet should write an article on itself?
    ianai
  • Hypocrisy?

    > "If your website doesn't use HTTPS by default, or if your certificate isn't properly configured, then you're not taking privacy seriously. In fact, you're part of the problem."

    This on a website that is not HTTPS by default
    supuhstar