Despite indicators that surveillance and Web attacks are becoming more sophisticated than ever before, many domains and mobile applications are still low-hanging fruit for cybercriminals. While organizations in sectors such as e-commerce have been diligent about defaulting to HTTPS and maintaining up-to-date SSL certificates, numerous Global 2000 companies have come up short when it comes to ensuring secure, encrypted transmission of user data.
Now that major social networks Facebook and Twitter have switched to HTTPS-by-default and Google and Microsoft have both rolled out encrypted search, the time seems right for all sites and applications to move to HTTPS. Furthermore, recent incidents such as the exposure of plaintext credentials in Starbucks’ massively popular mobile application should provide the impetus for everyone to raise the bar for Web and mobile security.
Still, there is a debate about the transition from an HTTP to an HTTPS Web. For starters, the shift to HTTPS, as Google and Microsoft have proven, is a major change for content providers and domain owners that have for years relied on unencrypted search keyword data to monetize and improve their portals. Organizations also have to consider the upkeep of blended HTTP/HTTPS sites, which can be tricky to maintain.
Ultimately, always-on SSL and HTTPS remain two of the best tools for shielding consumers from surveillance, identity theft and data loss. With many examples to follow, developers, businesses and the security community should push for HTTPS across the Web. While there are still performance gaps between HTTP and HTTPS that could discourage some from making the switch, these disparities can be addressed and are not worth putting user data at risk.
HP study finds HTTPS adoption strong in e-commerce, weak almost everywhere else
A study from HP Security Research found that 18 percent of Global 2000 companies still transmit usernames and passwords via HTTP rather than HTTPS. Rather than a stunning anomaly, this state of affairs is indicative of deep-seated vulnerabilities in mobile software, the vast majority of which are at risk from common exploits, with the ante upped by these applications’ routine retrieval of private, on-device data sources. Even for the applications that had implemented HTTPS/SSL, many had not set it up properly.
But all is not lost. A separate study from a Swiss security vendor discovered that 98 of the top 100 e-commerce sites had SSL certificates, even if only two of them used HTTPS-by-default for consistent data encryption. HTTPS/SSL is usually implemented unevenly, being most commonly used for payment and sign-on pages, but often missing from search queries or mixed in with non-SSL content.
In understanding why so many sites have struggled with HTTPS/SSL, it’s important to note that HTTPS still has a reputation for slower performance than HTTP, despite years of improvement. Facebook, Twitter, Google and Microsoft have implemented HTTPS for services used by hundreds of millions of users, but the slower progress of companies such as Yahoo, which only recently began rolling out always-on HTTPS to its webmail users, illustrates that significant work still needs to be done. Some of these belated HTTPS implementations lack Perfect Forward Secrecy, meaning that sessions captured today could still be vulnerable down the road if the encryption key were discovered.
The move toward HTTPS across the Web
With some service providers behind schedule in implementing HTTPS, initiatives have sprung up to make it easier for users to stay safe online. The Electronic Front Foundation’s HTTPS Everywhere browser extension forces always-on HTTPS on sites that feature encryption only as an opt-in feature. Such a setup once existed on Facebook and still exists for some Yahoo users as of January 2014).
Search engines have also been at the forefront of keeping users safe as they move from site to site. Google began encrypting all keywords last year, and Bing followed suite this January. This move makes it more difficult for HTTP sites to get referral data, since search terms cannot be passed between encrypted and unencrypted domains. With Bing, it’s currently possible to get the data back if the receiver site upgrades to HTTPS, but this doesn’t work with Google and has caused some hand-wringing about the loss of valuable keyword data to HTTPS.
While Bing’s compliance with HTTPS-to-HTTPS transmission creates a win-win for marketers, who can hold on to data while improving security in the process, it’s unclear what long-term impact ubiquitous encryption could have on Internet economics. For the moment, however, moving to HTTPS is the right move for websites and applications in light of the current threat environment.
“All sites and mobile apps must recognize the importance of securing the data transmitted between users and their sites,” stated Online Trust Alliance executive director Craig Spiezle. “Banking, social, government and e-commerce share this responsibility to implement these best practices to better protect consumers from harm. Always-on SSL and HTTPS are effective measures to enhance the security and privacy of users.”
Starbucks mobile application flaw illustrates need for more seriousness about encryption
Spiezle’s words are worth taking to heart, especially since recent incidents have illustrated what happens when sites and applications forego encryption and leave the door open for intrusion. Starbucks’ iOS/Android/BlackBerry app, which as of July 2013 accounted for the majority of all mobile payments in North America, was recently observed transmitting user credentials in plaintext.
The app is notable not just for its success, but for how it requires users to enter their passwords only during initial setup and when adding extra money to a saved card. The price of this convenience, however, is that app stores usernames and password in unencrypted form. Although no users have admitted that they were hacked, the vulnerability is worth keeping an eye on because of the app’s large install base and how it underscores broader shortcomings in keeping online services secure.
The silver lining for organizations that handle sensitive data is that there are plenty of success stories of HTTPS/SSL being implemented at scale. App developers and site owners should look at e-commerce portals, search engines and social networks as they build up their defenses, while keeping in mind the stakes of protecting data.