0

I see many websites that do not implement SSL either when logging in or at all. I know that you can simply sniff traffic on those sites and therefore see the user/pass in plaintext but what other vulnerabilities are there?

Most of the insecure sites are obscure sites that probably do not have much traffic and to my knowledge, in order to sniff someone's password the attacker would have to be sniffing that network (eg a cafe) when the user logs in. I personally find that unlikely and so I'm wondering how severe is this vulnerability these days?

user118923
  • 67
  • 4

2 Answers2

1

SSL/TLS provides confidentiality, integrity and trust. Trust being the most important one, giving the client assurance they are really communicating with the person they thought they were. In case of SSL/TLS; without trust there is no point in encrypting data. Anyone can pass itself of as the intended party, and you wouldn't be able to verify this.

The other way around doesn't work either, and allows for an attacker to listen in and change the data. The internet is just a bunch of networks connected to each other, and because you can only protect your LAN at best, we conciser the internet to be an insecure channel. Network interception is no science fiction, and happens on large scale (your ISP, telecom provider, governments, etc) without targeting you in specific.

I personally find that unlikely and so I'm wondering how severe is this vulnerability these days?

The opposite is true. In the last few years demand for secure communications has never been this high, and this is no paranoia. You really should care about SSL/TLS, and use them whenever possible. Anything that send personal data back and forth should use SSL/TLS, although this isn't the case by far, unfortunately. But, if you are going to setup an SSL/TLS secure environment, do it the right way. It has been argued that wrong SSL deployments can cause more harm then do good. In information security there is no such thing as doing it half.

Yorick de Wid
  • 3,346
  • 14
  • 22
0

If the site is not encrypted, an active attacker who is Man-In-The-Middling the connection (which is relatively simple to do on public wifi) can just strip the login cookies from your request, so that the user thinks that, for some reason, they have been logged out of the site. The user will then almost certainly log back in, allowing the attacker to capture the username and password. Because password reuse is so common, for many people this would also give the attacker access to their accounts on other websites, some of which may be more valuable to the attacker.

Even if the user doesn't log into the website while it is being monitored, their session cookies will still be transmitted in plaintext, which would allow the attacker to simply set those cookies in their own browser, and they would be logged into your website. Firesheep is a tool that allows you to do this easily. This doesn't give the attacker access to the user's password, but they still have full access to the account.

In terms of other issues that would arise from not using HTTPS, it depends on the website. The attacker is able to modify all traffic to and from the server, so an attacker could take advantage of the trust that the user has in your site to make them reveal more information or to download malware. The attacker could also inject exploits into the page to attack the user's browser or other software on their computer.

Secure connections also protect against ISPs intercepting and modifying traffic - Comcast injects ads into websites, and AT&T tracks users' browsing habits

Aside from security, using HTTPS also allows you to use additional browser features that are not available over HTTP:

  • In all browsers, HTTP/2 is only available over an encrypted connection, and it can have considerable performance benefits compared to HTTP/1.1.
  • In all browsers, Web Workers (background scripts that allow you to provide an experience closer to a native app (offline support, push notifications etc)) are only available if the page was loaded over HTTPS.
  • In Chrome, the Geolocation API has now been removed for insecure sites, and other browsers are likely to follow.
  • In all browsers, certain new features that are considered sensitive, such as certain hardware capabilities, will only be available on pages loaded over HTTPS.

Even if your site wouldn't benefit from any of those features (though not benefiting from the speed of HTTP/2 is a hard case to argue IMO), implementing HTTPS is free using a service such as Let's Encrypt, and isn't too hard to set up (there are lots of guides online), so there isn't much reason not to use it.

JackW
  • 713
  • 3
  • 8