Note: This is the second of a two-part blog series on SSL stripping. The first part discussed the threat of SSL stripping attacks while this post examines whether the implementation of HTTPS on a site-wide scale is the answer to this threat.
In the first part of this series we examined what SSL stripping attacks are and what is the threat to corporations. So is the adoption of HTTPS across the websites and the subsequent Chrome updates on security flags the answer to this threat? To answer this question it is essential to understand the natures of these attacks. SSL stripping attacks can work only on websites that encrypt only their login page. Hence, websites that use both HTTP and HTTPS in their setup are vulnerable to SSL stripping attacks.
To mitigate this threat, financial institutions and technology firms have already enabled HTTPS on a site-wide basis. Enabling HTTPS encrypts the connection between a browser and the website, thereby securing sensitive data transmissions. Therefore it makes perfect sense for banks and high-profile technology firms to enable HTTPS on their dynamic websites because of the transaction of important and sensitive information.
We have also to realize that it is of equal importance to enable HTTPS across static websites, even if there aren’t any sensitive data transactions. A lot of corporations purchase an SSL certificate and they only configure the pages to be served over HTTPS that require a user to transmit personal information, such as login screens and checkout pages. That’s not a good way to operate.
Because of the abstract nature of internet connections, people think that a connection to a static website is secure over HTTP. However, the traffic travels through many points to get from your browser to a website. HTTP is insecure and allows anyone to manipulate traffic at any point between a laptop and a website. Attackers can intercept a lot of information by manipulating traffic on a static website protected only by HTTP. Some of it can be relatively harmless but other abuses are much more serious. But none of these abuses are possible if a site is protected by HTTPS. If there is any problem, web browsers like Chrome and Firefox display a message that warns visitors that they cannot verify the site’s TLS certificate.
So here is the first benefit for organizations. Trust. Encryption is like multifactor and security of the end user, but it also means that users can place greater trust in a website’s safety and authenticity. SSL/TLS is a solid way to endorse just how safe your platform is, adding a touch of professionalism to any site using it.
In addition, enabling HTTPS on a site-wide basis maintains compliance with all data privacy regulations, such as GDPR or NIST SP 800-122. Especially, GDPR clearly states that organizations must be able to provide “sufficient guarantees to implement appropriate technical and organizational measures” to ensure that processing of personal data will comply with the GDPR and that data subjects’ rights are protected. It’s a win-win situation.
Another (hidden) benefit is Google’s SEO ranking. Some companies spend a ton of resources on SEO without realizing that simply enabling SSL can give their site a ranking boost on Google Search. In 2014, when the browsers were still incentivizing SSL instead of mandating it, Google announced it was making HTTPS a signal in its ranking algorithm. Experts estimate that having SSL/TLS can give your website up to a 5% boost. Now let’s think about what happens to that ranking signal after everyone starts to migrate to HTTPS. It becomes a standard, and the boost functionally begins to flip, to change from a benefit for sites that have it to a penalty for sites that don’t. When everyone ranks 5% higher than you, you’re at a disadvantage.
In addition to enabling HTTPS on a site-wide basis, corporations should weigh the benefits of enabling HSTS (HTTP Strict Transport Security), which is a web security policy mechanism that helps to protect websites against SSL stripping attacks and cookie hijacking. It allows web servers to declare that web browsers should interact with them using only secure HTTPS connections, and never via the insecure HTTP protocol.
When a web application issues HSTS Policy to user browsers, conformant user browsers will automatically redirect any insecure HTTP requests to HTTPS for the target website. In addition, when a man-in-the-middle attacker attempts to intercept traffic from a victim using an invalid certificate, HSTS does not allow the user to override the invalid certificate warning message. By having a HSTS policy installed, it will be nearly impossible for the attackers to intercept any information at all!
In addition to enabling HTTPS on a site-wide basis and enforcing HSTS policy, corporations need to activate one last line of defense. They need to take proper safeguards to defend their SSL/TLS certificate against bad actors who could misuse the certificate. An important part of this process involves investing in a solution such as Venafi Trust Protection Platform that allows organizations to continuously monitor their digital certificates for signs of abuse. Venafi Trust Protection Platform gives you the visibility you need to block a new breed of hackers who misuse keys and certificates to hide in your encrypted traffic. Plus, you’ll have what it takes to act quickly, when needed, to keep avoid compromise or disruption caused by expired certificates.