31 March 2019

HTTPS ISN'T ALWAYS AS SECURE AS IT SEEMS

ALYSSA FOOTE

WIDESPREAD ADOPTION OF the web encryption scheme HTTPS has added a lot of green padlocks—and corresponding data protection—to the web. All of the popular sites you visit every day likely offer this defense, called Transport Layer Security, or TLS, which encrypts data between your browser and the web servers it communicates with to protect your travel plans, passwords, and embarrassing Google searches from prying eyes. But new findingsfrom researchers at Ca' Foscari University of Venice in Italy and Tu Wien in Austria indicate that a surprising number of encrypted sites still leave these connections exposed.

In analysis of the web's top 10,000 HTTPS sites—as ranked by Amazon-owned analytics company Alexa—the researchers found that 5.5 percent had potentially exploitable TLS vulnerabilities. These flaws were caused by a combination of issues in how sites implemented TLS encryption schemes and failures to patch known bugs, (of which there are many) in TLS and its predecessor, Secure Sockets Layer. But the worst thing about these flaws is they are subtle enough that the green padlock will still appear.

No comments: