Research teams at Ca’ Foscari University of Venice and Tu Wien in Austria have discovered security vulnerabilities in the TLS browser encryption defence system of 5.5% of 10,000 HTTPS sites which could leave website visitors vulnerable to attack.
What Is TLS?
Transport Layer Security (TLS) is one of the two security protocols (the other is SSL) used in HTTPS to encrypt the data between your browser and the web servers it communicates with. The visual symbol on a browser that this secure connection is place is a green padlock symbol.
HTTPS should secure communication over the Web by providing a cryptographic protection layer that protects the confidentiality and integrity of communication and enables client/server authentication.
The recent research carried out on top ranking HTTPs sites (ranked by Amazon’s Alexa analytics company) uncovered a number of potentially exploitable TLS vulnerabilities in 5,574 hosts that could be broadly grouped into 3 risk categories:
- 4,818 were found to be vulnerable to ‘man-in-the-middle’ attack (MITM). As the name suggests, this kind of attack involves a third party being able to intercept and tamper with communications – in this case between the web server and the user’s browser.
- 733 were found to be vulnerable to full decryption. In this case, hackers could decrypt all the traffic passing through them.
- 912 were found to be vulnerable to partial decryption.
More detail of the vulnerabilities identified include:
- 898 websites classed as fully compromisable, including e-commerce sites, e-banking services and other major websites.
- 10% of login forms having confidentiality issues.
- 412 websites possibly subject to cookie theft and exposing to session hijacking, with 543 websites subject to cookie integrity attacks.
Green Padlock Still Showing
The vulnerabilities identified by the researchers were present even though the green padlock symbol was still showing on the browser. This indicates that the vulnerabilities are not fixed, not even noticed by the browser’s defence layer, and are not pointed out on the user side
The vulnerabilities are thought to be caused by a combination of issues in how each site’s TLS encryption schemes have been implemented and a failure to patch any known bugs. Most of the issues are, therefore, due to external or related-domain hosts.
What Does This Mean For Your Business?
For many businesses, buying a HTTPS certificate for their website was a trusted way to help ensure security, particularly with the introduction of GDPR. This research, however, shows that even this system has holes in it, and it is particularly worrying for businesses (and as general web users) that, for example, 898 HTTPS websites were found to be fully compromisable.
The researchers have demonstrated how a relatively limited number of exploitable HTTPS vulnerabilities can be amplified by the complexity of the web ecosystem, and how the security of many so-called secure websites with encrypted connections can be severely harmed by cryptographic weaknesses, many of which are due to external or related-domain hosts.
This story also highlights the importance of keeping up to date with software patches and fixes.