Tuesday 22 May 2012

https:// Are you really protected ?

Myth: If I am using https:// enabled site, all my communication is secure and no one can intercept and understand in-between.
This is a very popular myth. As technology gets-into our lives, we start relying on it. We use internet not only on PCs and desktops but also on Tablets and Mobiles. We use it for our daily lives, for simple ordinary search to social e-gatherings, for simple email to online banking. It has become an important media for our daily mundane tasks.
As we are using it:
  • Is it really secure?
  • Can we use it without the sacrificing our privacy?
  • Can we be confident about the confidentiality of our personal information?
  • Are we really protected against e-theft?
Military and defense organizations all over the world, employs various means to secure their communications.I am writing this for the general public. For those,who are not as important as Top Military Officers but they do care about their PRIVACY:
  • For those who want their privacy be respected while online.
  • For those who want their usernames/passwords to be secret.
  • For those who are conscious about their e-transactions.
There is no doubt that https:// has become de-facto standard for secure web browsing. Its used by all security sensitive web sites. You can see it working while using gmail, hotmail, yahoo etc. It do provide a mechanism for encrypted communication between user’s browser and website.You can read more about the functionality of https in my previous article https:// what it is?
Today I’ll try to explain the scenarios when an https:// enabled communications be intercepted and understood.First of all there should be no doubt that your communication with a website can be intercepted. It can be intercepted at your local LAN, at your ISP, and at any location between you and the website. However eavesdropper(interceptor) will not be able to get anything out of it as everything is encrypted with strong enough algorithm.
Now come to the point. Then, how https:// can be insecure?I my last tutorial about functionality of https://, I have talked about the certificates. Which are used to encrypt everything between website and web browser. Now lets see how an eavesdropper can intercept and decrypt your communications:




Lets explain the steps quickly:
  1. User request a website e.g www.gmail.com
  2. Attacker is in-between, let the request go to gmail
  3. gmail respond with its certificate, attacker keep that certificate, send user his/her own certificate
  4. User browser shows a warning to accept certificate
  5. If user accept, all communication between user and attacker will be encrypted but with ATTACKER’s certificate
  6. Attacker decrypt the traffic and encrypt again with google’s certificate and forward the request to google
  7. This way attacker just encrypt and decrypt between user and google (site) which is transparent to both user and google site.
Have a question? ask!
Very soon, Next post: how to protect yourself from https:// hijacking.

No comments:

Post a Comment