Home
Internet
Internet News
HTTPS Vulnerabilities Could Allow Attackers to Snoop on Your Data: Researchers

HTTPS Vulnerabilities Could Allow Attackers to Snoop on Your Data: Researchers

By Harpreet Singh | Updated: 29 March 2019 14:03 IST

Security researchers have found HTTPS vulnerabilities amongst top 10,000 websites on the Internet

Highlights

Security researchers have found HTTPS flaws in some of the top websites
Most of these flaws still remain undetected
Some flaws are minor while others have allow attackers to manipulate data

That little green padlock that appears on your browser's address bar looks reassuring. It means the website you're currently visiting uses HTTPS (Hypertext Transfer Protocol Secure) for a secure connection. HTTPS protects you against man-in-the-middle attacks, that ensures no one can see your passwords, search history, and other sensitive content. Almost all popular websites now use HTTPS to encrypt the data between your web browser and web servers it communicates with.

However, new research claims some websites using HTTPS are still leaving their connections exposed. Researchers at Ca' Foscari University of Venice in Italy and Tu Wien in Austria have analysed the top 10,000 websites that use HTTPS and found that nearly 5.5 percent of these are vulnerable to TLS (Transport Layer Security) exploits.

The communication protocol in HTTPS is encrypted using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). Researchers claim that the flaws they've discovered are a result of issues that crop up depending on how websites implement TLS encryption schemes. These websites may have also failed to patch known buds in TLS and SSL.

But when you're visiting such a website, the shiny green padlock will still appear on your browser's address bar. That's how subtle these flaws can be, they're hard to detect. These flaws normally go unnoticed, claim the security researchers who discovered them.

The flaws were discovered by using TLS analysis techniques to crawl and analyze the top 10,000 sites for TLS issues. The researchers picked up these websites from Alexa's ranking of top websites on the Internet.

These security flaws could potentially allow a malicious attacker to decrypt small information such as session cookies, but wouldn't be much useful in extracting something as sensitive as a password.

But there are some more 'leaky' flaws that could potentially allow attackers to decrypt almost all of the Web traffic passing between a browser and a Web server, according to the research paper.

Then there are 'tainted' vulnerabilities that could potentially enable attackers to decrypt and manipulate data being transferred between a browser and a web server. These man-in-the-middle attacks are exactly the reason why HTTPS was put into place.

Researchers claim that all the top 10,000 websites that were tested also include around 91,000 related domains. HTTPS vulnerabilities in these websites could increase the overall number of affected sites.

Vulnerabilities discovered that 898 websites, from the 10,000 total websites they tested, were fully compromisable while 977 websites presented low integrity pages. The full research paper will be presented at the 40th IEEE Symposium on Security and Privacy at San Francisco in May this year.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: HTTPS

Harpreet Singh

Email Harpreet

Harpreet is the community manager at Gadgets 360. He loves all things tech, and can be found hunting for good deals when he is not shopping online. He has written about deals and e-commerce in India for many years, as well as covering social media and breaking technology news. More