SecPoint Logo

Faulty HTTPS risking users security

Although HTTPS is a widely used security standard in e-commerce websites, a report shows that a number of companies implementing HTTPS have been doing it improperly and are jeopardizing confidential customer information such as credit card numbers.

 

Many users have understood that sites running on HTTPS protocol are generally secure, but First Base Technology finds that many sites use HTTPS improperly and bypasses any benefits of encryption.

According to Peter Wood, chief of operations at First Base, many sites do not flag session cookies being used by the HTTPS protocol as secure.

This may allow hackers to exploit these unsecured cookies used to manage secure sessions on the web server.

 

Broken HTTPS setting users at risk

Traditionally, cookies are used by services as a “pass” that uniquely identify each session or transaction with a certain user instead of using usernames and passwords every time a user access a certain site.

This allows hassle-free verification where the server can remember a user’s computer using the cookie, sometimes even after reopening the browser window.

However, if these session cookies are not tagged as “secure” they are simply transmitted as a stream of text characters instead of being encrypted, which hackers can intercept and use.

While an ordinary HTTPS session may not see this as a problem, many sites implement ordinary HTTP and also support multiple browser sessions in their online services.

With an intercepted session cookie, hackers can exploit these lapses in security and pretend to be a legitimate user.

 

Wood also warned that these kinds of lapses in security can jeopardize even strong security measures such as RSA SecureID.

Even after using this RSA service to generate cookies, if the cookies themselves are not marked secure then a hacker can merely pick it up as it is transmitted and gain access to a wide range of system applications, depending on the design and security level of the cookie.

Or worse, using data obtained from the cookies, a hacker may be able to reverse engineer a cookie generator from the data embedded in the cookie and create his or her own cookies to freely access system resources.