The limitations and possible risks of secure https Web transmission.

Topic

New Reply

[OscarCP]

Perhaps this has been discussed already at length in some other, earlier thread, but I do not recall seeing this before, so here it goes:

As it happens, it is possible for black hats, using the appropriate tools of their trade, to snoop on the usually secure https communications (being encrypted by default and only enabled with sites that have certificates issued from a valid source and also current) between user and sensitive places such a bank account, to gather information on what the user does at such sites, even if the contents of the communications remain inaccessible thanks to the encryption. (A very similar kind of snooping, I remember, was discussed last year in relation to something else: VPN of the type User->ISP -> VPN server -> Web server of destination, now with a false sender address.)

The snooper could gather such information as the IP address and port number of the web servers accessed by the user, and sometimes even the Web site domain name the user is communicating with, along with the amount of data transferred and the duration of the communication. This will reveal to the snooper a few telling things, for example that the user is frequently in touch with someone or some organization, and this alone might be enough to reveal more than is safe about the user’s life and business:

This is what the vulnerability of https communications is, according to this detailed Wikipedia article on https:

https://en.wikipedia.org/wiki/HTTPS

First, what is https:

“Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

The principal motivations for HTTPS are authentication of the accessed website, and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering. The authentication aspect of HTTPS requires a trusted third party to sign server-side digital certificates.”

But on the server (Web site) side:

“… In practice this means that even on a correctly configured web server, eavesdroppers can infer the IP address and port number of the web server, and sometimes even the domain name (e.g. http://www.example.org, but not the rest of the URL) that a user is communicating with, along with the amount of data transferred and the duration of the communication, though not the content of the communication.”

“Web browsers know how to trust HTTPS websites based on certificate authorities that come pre-installed in their software. Certificate authorities are in this way being trusted by web browser creators to provide valid certificates. Therefore, a user should trust an HTTPS connection to a website if and only if all of the following are true:

The user trusts that the device hosting the browser and the method to get the browser itself, is not compromised (i.e., a supply chain attack)
The user trusts that the browser software correctly implements HTTPS with correctly pre-installed certificate authorities.
The user trusts the certificate authority to vouch only for legitimate websites. (i.e., the certificate authority is not compromised and there is no mis-issuance of certificates.)
The website provides a valid certificate, which means it was signed by a trusted authority.
The certificate correctly identifies the website (e.g., when the browser visits “https://example.com”, the received certificate is properly for “example.com” and not some other entity).
The user trusts that the protocol’s encryption layer (SSL/TLS) is sufficiently secure against eavesdroppers.”

So maybe one should keep the above in mind when doing something private on the Web that better stays private. From shopping on line to … dating online?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

• This topic was modified 2 years, 11 months ago by OscarCP.
• This topic was modified 2 years, 11 months ago by OscarCP.
• This topic was modified 2 years, 11 months ago by OscarCP.
• This topic was modified 2 years, 11 months ago by OscarCP.

Reply | Quote

Replies

Cloudflare mitigates 26 million request per second DDoS attack

Last week, Cloudflare automatically detected and mitigated a 26 million request per second DDoS attack — the largest HTTPS DDoS attack on record.

The attack targeted a customer website using Cloudflare’s Free plan. Similar to the previous 15M rps attack, this attack also originated mostly from Cloud Service Providers as opposed to Residential Internet Service Providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack — as opposed to much weaker Internet of Things (IoT) devices…

Reply | Quote

Alex: So this article you are providing the URL link to is about a second vulnerability of https?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

No.

1 user thanked author for this post.

Alex5723

Reply | Quote

So, Alex, why have you posted this comment? I would be thankful for a getting bit more explanatory replays.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

why have you posted this comment?

Just to add that HTTPS isn’t ‘fix them all solution’ for security.

Reply | Quote

OscarCP wrote:

it is possible for black hats, using the appropriate tools of their trade, to snoop on the usually secure https communications

This is not possible unless the web site / ISP / your machine has been compromised and that is a much bigger issue than inferring some data.

Please stop posting FUD inducing comment unless you have rock solid proof of such compromise affecting users.

cheers, Paul

Reply | Quote

Is this addressed to me? Paul T: “Please stop posting FUD inducing comment unless you have rock solid proof of such compromise affecting users.”

If it is addressed to me (as it seems to be): that quote of me given in the comment I am answering now was not about https encrypted access to Websites being compromised because of some flaw in https, but of it being snooped, something totally different. For my part, I have had nothing to add to my opening comment, several days ago. My only other entries here are about a question I had for Alex.

If one reads that initial comment, it was about the plain fact that https, while offering a good protection, cannot give a complete assurance of the secure use of the Internet, because of the potential for cybercriminals, not to break into the https-encrypted  browser <-> Web site  traffic, but to snoop on this traffic to gain some valuable information, not on the contents of the traffic, but with which Web site and how often, etc. it took place, something done somewhere along the line from browser to destination Web site. As explained in the Wikipedia article I provided the URL link to. (Wikipedia, as far as I know, is not a site teeming with scary, phony information.)

I was curious to know what people made of all that.

Please notice also that I posted this thread in “The Junk Drawer”, for things that belong nowhere in particular, not in “Code Red”, where one is supposed to rise the alarm on actual threats. So no “FUD” comment here, at least from me. If the remark was directed at me. (As it seems to  have been.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

The information that you mention that the bad guys have access to, per the article you quote (and is even mentioned in your quote) is the website you’re connected to (the domain name), the port you’re connected to (most likely post 443 because that’s the default port used by the https protocol), the amount of data that was sent over the connection and the length of your connection.

Per the article, and the quote in your initial post, they DO NOT have access to the actual information that was transmitted over that connection:

…though not the content of the communication.”

I added the bolding to the quote. That is from the last sentence of the third quoted paragraph in italics, the one where you begin by saying “But on the server (Web site) side:”.

As Paul T stated above, the bad guys might be able to get into your machine, the web site you’re connected to or even your ISP, but if they do, that’s a very different ball of wax/much bigger thing to worry about. At least that’s how I read his statement.

 

1 user thanked author for this post.

Paul T

Reply | Quote

Bob99: “Per the article, and the quote in your initial post, they DO NOT have access to the actual information that was transmitted over that connection”

I am not clear if you are presenting what you understand is going on here, or if you are being critical.

Just in case:

I made that very point already in my original comment at the very start of this thread.

Written by me and submitted on June 14, past midnight, using my own keyboard and my very own Mac text editor:

“The snooper could gather such information as the IP address and port number of the web servers accessed by the user, and sometimes even the Web site domain name the user is communicating with, along with the amount of data transferred and the duration of the communication. This will reveal to the snooper a few telling things, for example that the user is frequently in touch with someone or some organization, and this alone might be enough to reveal more than is safe about the user’s life and business”

And I put further explanation on this in the excerpts I copied from the relevant Wikipedia article that I gave a link to.

(One wished people read what one wrote, but … Oh, well.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Bob99 wrote:

…though not the content of the communication.”

Yes if you setup a MITM proxy (like in a free wi-fi café) running Fiddler2.

https://debugtheweb.com/fiddler2/

Introducing Fiddler

What is Fiddler?

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Fiddler is freeware and can debug traffic from virtually any application that supports a proxy, including Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox, Opera, and thousands more. You can also debug traffic from popular devices like Windows Phone, iPod/iPad, and others…

1 user thanked author for this post.

windbg

Reply | Quote

Fiddler is useless if you use https (https is encrypted between your computer and the web site).

Free public wifi should never be trusted. If you need to work on these sites regularly, pay for a VPN.
As a one off to check email you should be OK, if you use a secure mail protocol.

cheers, Paul

Reply | Quote

Paul T wrote:

Fiddler is useless if you use https (https is encrypted between your computer and the web site).

Not immune to Fiddler2

Alex5723 wrote:

which logs all HTTP(S)

and creates its own credentials.

Reply | Quote

Logging https is not the same as reading the data.

cheers, Paul

Reply | Quote