HTTPS — what kind of data is not protected by default

How HTTPS can protect your data and that information is at risk.

By Pedro Tavares, Founder of CSIRT.UBI & Cyber Security Blog seguranca-informatica.pt

 

Currently, web traffic adopted a standard and widespread protocol to maintain connections through the Internet more secure — HTTPs.

In the past, secure connections (HTTP secure) were associated with financial transactions, online shopping (e-commerce), authentication/login pages, and so on.

At that time, web designers argued that there was no need to overload a TCP connection with encryption when “information exchanged” consisted only of an HTML-based page without sensitive information embedded.

As websites became more functional, dynamic, and complex, this reality has changed rapidly. Users want their financial data protected, but also other things need to be kept as confidential. Things like, for example, what they write in a social network post, the content sent through an email, among other normal things that a user does on the Internet.

Today, we have more websites with HTTPS. This change has been so fast, that Google marked all HTTP websites as unsafe in July 2018.

Coming back to 2014, in the I/O conference, the HTTPs protocol was referred to as a new priority for all sorts of traffic circulating on the Internet. Immediate action was taken the following year by Google. The company started to rate all kind of HTTP search results from queries via its search engine (google.com).

A year later, websites that had unsafe authentication modules, or payment information via credit cards through the HTTP protocol, would be “identified” as not secure.

Google confirmed that with the launch of Chrome 68, all websites that do not use HTTPs would be identified as “not secure”.

What protected in an HTTPS connection?

HTTPS is just HTTP over SSL (or today, TLS). In detail: HTTP + Secure results in HTTPS.

TCP/IP is a reductive OSI mapping for modern networks, where the seven original layers are reduced to four.

HTTPS — what kind of data is not protected by default

The four-layer TCP/IP model has the lowest layer called the Network Interface, where protocols such as Ethernet are executed.

From the figure above, there is a layer called Network. Here, operating protocols such as ARP, ICMP (ping), and Internet Protocol (IP). The model is composed of the Transport layer (TCP and UDP) and finally the Application layer, the one with which we interact every day! In addition, HTTP and HTTPs work here.

In HTTPS protocol, TLS runs just below HTTP, and all HTTP communications are thus encrypted. These communications are e.g., URLs, cookies, web content, attributes — basically, everything.

But it is important to realize that everything below the TCP/IP application layer is not encrypted. For example, server ports, IP addresses, Ethernet addresses, i.e., any type of information required in a connection between two or more hosts.

HTTPS protocol only encrypts the entire contents of an HTTP request (messages, cookies, the body of a web page) — information exchanged between a user’s computer (client) and, e.g., a social network platform (the server).

Traffic is encrypted end-to-end, allowing privacy and confidentiality by default. But what prevents someone from claiming to be Facebook and steal user data, for example, in a cyber-cafe wireless network? — The answer is the certificate.

HTTPs can be used in two modes: simple and mutual

Most often it is used in simple mode, where the server only authenticates the client. For this, the client must have a certificate and that is used to validate the server certificate.

These certificates are provided to all Internet browsers and signed by Certificate Authorities (CA). When a connection is established with the server, the server provides its certificate and the client validates whether the server’s certificate is valid. To this end, the client relies on the CA-signed certificate.

What kind of data is not protected?

HTTPS allows you to validate whether a client is “talking” to who they think they are and “hides” the content of the conversation.

However, it does not hide the following data:

  • The number of times a conversation occurs
  • With whom one talks (with which website communication was established – Facebook, Gmail, etc.)
  • How often do you keep in touch
  • The ability to estimate the size of the message sent
  • The destination server port
  • The IP address (client and server)
  • Your location (Portugal, USA, etc)

About the Author

HTTPS — what kind of data is not protected by defaultPedro Tavares is a cybersecurity professional and a founding member and Pentester of CSIRT.UBI and the founder of seguranca-informatica.pt.In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks.  He is also a Freelance Writer.Segurança Informática blog: www.seguranca-informatica.pt
LinkedIn: https://www.linkedin.com/in/sirpedrotavares
Contact me: [email protected]

April 7, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

X