• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Despite Rising HTTPS Adoption, Vulnerabilities Still Exist

November 4, 2016 By The Editor

Lock-Encryption

According to Google’s new Transparency Report, secure web traffic or HTTPS uptake is on the rise, making the web a lot more secure than it was a year ago. In general, this is great news for everyone, as HTTPS both encrypts our web traffic and helps validate the legitimacy of the domains we visit, keeping our data away from prying eyes and protecting us from websites pretending to be something they aren’t. Between April 2015 and October 2016, Google’s report shows significant increases in webpages being loaded over HTTPS. It also indicates that Chrome users on Windows, Mac or Linux machines are accessing secure HTTPS pages about two-thirds of the time.

While these HTTPS numbers are very encouraging for the security industry and show a genuine improvement in online security, there are a few drawbacks to consider:

First: HTTPS isn’t infallible if it’s not strictly enforced. For example, when users manually key in URLs, most don’t type in “http://” or “https://” before entering their desired destination. Browsers can automatically default to less-secure HTTP when a specific protocol isn’t provided, unless there is an HTTP Strict Transport Security (HSTS) policy in place. Secure websites will run HTTP services to redirect users to the appropriate HTTPS destination, but as a result, they can be more vulnerable to man-in-the-middle attacks. This means that when users are directed to HTTP sites first, bad actors can simply hijack HTTP requests and block users from reaching secure HTTPS websites. Without proper HSTS policies, HTTPS can be much less effective.

Second: Bad guys are now using HTTPS for their own purposes. According to a recent report by A10 Networks and Ponemon Institute, nearly half of cyberattacks on businesses in the past year involved malware concealed in encrypted traffic. Today, attackers leverage HTTPS to protect their malware command and control (C&C) communications and they sometimes use HTTPS to deliver malicious executables to new victims. In both cases, typical security technologies, like antivirus or botnet detection, may not catch these threats if they can’t see within this encrypted traffic.  Since malware hidden via HTTPS is invisible to legacy security controls, organizations need security solutions that can inspect HTTPS traffic to weed out these camouflaged attacks.

So, while continued growth in HTTPS usage is a goal the entire security industry can get behind, it’s important to remember that nothing is 100 percent bulletproof in the world of infosec. Keep in mind that attackers are constantly on the lookout for ways to circumvent and appropriate even the latest and greatest security measures.

Share This:

Related

Filed Under: Editorial Articles, Featured Tagged With: cyber security, exploit, Google, Hacking, Infosec news, Malware, Security breach

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use