The HTTPS abbreviation that appears before the URL of a website means the website uses the Hypertext Transfer Protocol Secure for a secure connection. HTTPS security on websites ensures security for passwords, search history, and other sensitive contents. All the major websites nowadays use HTTPS to encrypt data between the web browser and web servers it connects with.
Nevertheless, according to a new report, some of the websites that use HTTPS are still leaving their data exposed. The top 10,000 websites that use HTTPS were tested by Researchers at Ca’ Foscari University of Venice in Italy and Tu Wien in Austria, and the results have declared that around 5.5 percent of these websites are prone to TLS (Transport Layer Security) exploits.
Transport Layer Security is a cryptographic protocol designed to provide communications security over a computer network. TLS was previously known as Secure Sockets Layer (SSL) and is used as encryption for the communication protocol in HTTPS. Researchers claim that the vulnerabilities found can be traced back to how TLS was implemented on a website. These websites are also said to have failed to patch known buds in TLS and SSL.
However, these flaws are so subtle and hard to detect that visiting such vulnerable websites would still show the shiny green padlock, making users certain that the website is secure. These flows normally go unnoticed without any step taken towards them, claims the security researcher who found them.
The test on the 10,000 websites was carried out using TLS analysis technique and the websites were selected according to Amazon Alexa’s ranking of top websites on the internet.
Attackers can exploit this vulnerability to decrypt small information such as session cookies, nevertheless, to extract sensitive information such as passwords wouldn’t be possible through this flaw. There are some more ‘leaky’ flaws though that could enable miscreants to exploit sensitive information by decrypting web traffic between the browser and a web server, according to researchers.
Then there are ‘tainted’ flaws that could potentially allow attackers to manipulate the data that is being transferred between a web browser and a web server. Such attacks are called man-in-the-middle attack and they are exactly the reason HTTPS was put up in the first place.
Researchers say that the 10,000 websites selected for testing also include around 91,000 related domains. Vulnerabilities with HTTPS in these could potentially expand the risk to more websites.
Among the 10,000 websites, 898 were fully compromisable, while 977 were seen presenting themselves as low integrity pages, according to the research paper. The full research paper is said to be presented at the 40th IEEE Symposium on Security and Privacy at San Francisco in May this year.