HTTPS a must to boost trusted networks

Secure networks should not be substitutes to HTTPS, as encryption of traffic is only way to stop "sidejacking", security experts say, adding that Web sites which host users' personal data must offer it.
Written by Tyler Thia, Contributor

No matter how safe end user networks are, it is still essential for Web properties to enable HTTPS (Hypertext Transfer Protocol Secure) to guard against "eavesdropping", security experts say.

Paul Ducklin, Sophos' head of technology for the Asia-Pacific region, cautioned businesses and individuals against getting too complacent with the notion of "trusted networks".

"Even if you trust your network at home or at work, your packets still have to traverse the Internet to reach the site at the other end," he explained out in an e-mail interview with ZDNet Asia. "HTTPS is like having a special-purpose VPN (virtual private network) for an individual Internet transaction."

Ronnie Ng, Symantec's manager for systems engineering in Singapore, noted in an e-mail that "no network is completely secure", as unencrypted traffic on any network can be "sniffed" at.

"The various network hops on the route from the user to the destination site further upstream may or may not be secure, depending on the communications service providers, Internet service providers or organizations' networks through which the traffic passes."

However, Jonathan Andresen, technology evangelist at Blue Coat, pointed out that HTTPS does not necessarily ensure safety due to the increasing complexity of malware threats.

"[Cybercriminals] are leveraging dynamic Web links to attack trusted and protected locations," he said. "Using dynamic links, cybercrime can build attack infrastructures, changing only the location of the malware deliverable.

"As a result, inscription of confidential data is not adequate enough to solve [the] dynamic malware problem. "

According to Andresen, most e-commerce and social networking sites have already turned HTTPS on, giving users the extra security coverage. HTTPS, he added, is expected to account for the majority of all enterprise traffic within five years, with about 50 percent of enterprises today already using SSL-enabled (Secure Sockets Layer) applications.

But while HTTPS is the most secure form of connection available today, sites that are not implementing it often cite speed and cost as major deterring factors, according to a blog post earlier this month by writer Scott Gilbertson.

Citing World Wide Web Consortium's Web services activity lead Yves Lafon, Gilbertson explained that HTTPS does not allow caching, which translates to a slowdown in connection--a problem for sites that host videos.

HTTPS is also more expensive to implement and operation than HTTP (Hypertext Transfer Protocol), which may pose a problem for smaller sites, as it "can add up, if your site suddenly becomes popular", Lafon said in the blog post.

However, Sophos' Ducklin reiterated that HTTPS should be used whenever a Web session contains any personal information related to the user.

"This doesn't just include obviously secret stuff like usernames, passwords and credit card numbers, but anything which makes my browsing session different to anyone else's. For example, the contents of my e-mail message or information from my account profile," the IT veteran said.

Sites including Facebook and Twitter that use a secret "session cookie"--sent by the server and kept by the browser for every subsequent transaction until the user logs out, so username and password need only be entered once--must also be HTTPS encrypted, he warned.

Otherwise, other users on the network may be able to eavesdrop and grab the user's session cookie, to post messages or tweet as him or her--a form of hacking known as "sidejacking", he added.

When quizzed on how endpoint security can complement HTTPS to enable a more secure connection, Ducklin and Ng of Symantec noted that a weak endpoint infested with malware may allow an attacker to view the details of the traffic prior to encryption.

Bluecoat's Andresen added:"HTTPS provides a multi-layer security defense for enterprises as it ensures encrypted communication of data. Endpoint security, on the other hand, might not always be able to capture real-time threats and, for example, antivirus programs can be disabled by users."

While all three experts agreed that HTTPS is already a secure Web standard, Symantec's Ng highlighted one "hole" which is still a boon to cybercriminals.

"What might be of use to a malicious cyberattacker are the names of the domains that users are visiting," he said. "Current Internet security protocols, such as TSL (Transport Layer Security) and SSL do not obscure those from view. In this sense, the use of HTTPS is somewhat limited."

Editorial standards