In the previous article, I presented some concepts about HTTPS. In this article, let's see if HTTPS is safe.
Is HTTPS Really Secure?
In many cases, HTTPS with the blue sign on the address bar is a sign that what we're doing will be secured. But is it secure enough? My personal opinion is not yet. HTTPS is just like you get out and lock your door. Actually, lock the door is not avoid the crooks. If someone has tried to break into your home to steal, then lock the door is useless. HTTPS is probably the same.
Is HTTPS Really Secure?
In many cases, HTTPS with the blue sign on the address bar is a sign that what we're doing will be secured. But is it secure enough? My personal opinion is not yet. HTTPS is just like you get out and lock your door. Actually, lock the door is not avoid the crooks. If someone has tried to break into your home to steal, then lock the door is useless. HTTPS is probably the same.
With server and Web app
HTTPS is a secure mechanism for transactions between users and servers. It can be said, for Web servers as well as Web applications, it has no effect in server and application security.
Application security requires a great deal of complexity, including DDoS attack, anti-XSS, CSRF, etc.
With the user
So what about the users? Does HTTPS help users encrypt data, authenticate the server or not? The answer is that there are still a lot of ways to circumvent HTTPS. There are still many different methods to break the certificate authentication system:
- Break into CA's system. As we all know, there are hundreds of CAs trusted by the browser. Attackers only need to find one of these CAs capable of intrusion is enough. And in fact, this has happened with terrible consequences.
- Breaks routers near CA or near the victim reads and falsifies incoming and outgoing DNS packets, attacks email exchanges between the victim and CA. Email encryption methods do not help in this case because STARTTLS can completely break down.
- Breaks the DNS servers are used with the CA or forged DNS packets with the victim domain. Sometimes it is quite easy.
- Attacks several other network protocols, such as TCP, to attack the victim's packets.
- Some CAs may be required by the local government to provide a malicious certificate as they have been accused. Because the CA is present in many different countries, many governments may seek to ask the CA to do so.
The above is the problem of external systems that our data can still be stolen, although HTTPS still works well. But even HTTPS itself has certain issues. For example the Heartbleed hole (heart bleeding). This vulnerability is likely to expose content contained in server memory, allowing an attacker to copy the keys. They easily decrypt the exchanged information.
And even the root certificate authentication mechanism is not completely secure. Take a look at the Man in the Middle attack:
For example, you need to go to https://www.gmail.com, but someone interferes with the exchange process between you and the server. And you are confident that, with certified certificates, you can rest assured that your secure
But you are wrong.
What really can happen is very different from your imagination:
What really can happen is very different from your imagination:
- You connect to https://www.gmail.com
- The attacker redirects your query to the server he has prepared.
- Because this server contains perfectly valid SSL certificate, your browser will not know you've connected the wrong server.
- You manipulate the fake server, all data will be read by the attacker, he can change it, and send it to the real Gmail server.
- You are completely unaware that your secure connection is completely insecure.
Why can an attacker obtain a valid SSL certificate? The attacker can take advantage of the root certificate (which is built into the browser) to generate SSL certificates for his website
In short, there are many different ways to crack HTTPS.
Web security protocols can be good enough to protect against attackers, without much time and energy. But it is still too small in a world where technology and methods of attack are growing.
Conclusion
HTTPS really only has acceptable security. If you want to be really safe on the Internet, we need more than that. HTTPS is like you are out of the house locking the door, most of us are still satisfied with the situation, but still many people are not sure and have to lock a few more layers, buy more safes to store important furniture.
No comments:
Post a Comment