What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site.
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
1. Encryption—encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages, or steal their information.
2. Data integrity—data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
3. Authentication—proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
A (very) simplified way to think about HTTPS is this: picture two countries that trade goods and are connected by a road. In order to protect the goods and prevent crime, police are stationed along the roads to prevent theft and general lawlessness. In this example, the goods are your data and HTTPS is the police along the highway.
“HTTPS will not help prevent that your website will not be hacked. It will also not protect you from malware or DDoS (Denial of Service) attacks. It will, however, ensure that you are securely transmitting information to and from a website – typically used when entering sensitive information for banking transaction or online shopping.
What Does Green Lock Indicate?
While surfing internet you may have noticed a green padlock icon to the left of url with the letters that say “Secure” or a lock with a red x over it and a red slash through the letters that say “https”.
Those locks all have to do with the verification of the certificates used for the site. Those certificates are given by the Certificate authority and they’ll verify the site you’re visiting.
Let us see this with examples
Little green lock: The site’s certificate has been checked, verified, and paid for. You’re good to go.
Little green lock and a name in a green box: This means the site has an Extended Validation Certificate. To make a long story short, the site has gone through more vetting, more criteria, and paid more to earn this certificate. An example of this would be Paypal.com.
Red x over lock, https with a red slash through it, or warnings: This is when you should find an alternative site or proceed with extreme caution. Don’t panic (but also don’t hand over sensitive info) if you see this warning. It could be due to a number of reasons including an expired certificate, malware or something dodgy going on with the site, or something as simple as your computer having the date/time wrong (certifications need to sync with your date/time).
Users are often urged to verify the site’s certificate, admire the advanced cryptographic protocols in use, and, on this basis, trust it with their personal
Increasingly, organizations also cite their compliance with Payment Card Industry (PCI) standards to reassure users that they are secure. For example:
We take security very seriously. Our web site is scanned daily to ensure that we remain PCI compliant and safe from hackers. You can see the date of the latest scan on the logo below, and you are guaranteed that our web site is safe to use.
In fact, the majority of web applications are insecure, despite the widespread usage of SSL technology and the adoption of regular PCI scanning.
According to the authors of hackers handbook web applications are affected by some common categories of vulnerability as listed below:
Broken authentication (62%) — This category of vulnerability encompasses various defects within the application’s login mechanism, which may enable an attacker to guess weak passwords, launch a brute-force attack, or bypass the login.
Broken access controls (71%) — This involves cases where the application fails to properly protect access to its data and functionality, potentially enabling an attacker to view other users’ sensitive data held on the server or carry out privileged actions.
SQL injection (32%) — This vulnerability enables an attacker to submit crafted input to interfere with the application’s interaction with back-end databases. An attacker may be able to retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself.
Cross-site scripting (94%) — This vulnerability enables an attacker to target other users of the application, potentially gaining access to their data, performing unauthorized actions on their behalf, or carrying out other attacks against them.
Information leakage (78%) — This involves cases where an application divulges sensitive information that is of use to an attacker in developing an assault against the application, through defective error handling or other behavior.
Cross-site request forgery (92%) — This means that application users can be induced to perform unintended actions on the application within their user context and privilege level. The vulnerability allows a malicious web site visited by the victim user to interact with the application to perform actions that the user did not intend.
Again i would like to say SSL is an excellent technology that protects the confidentiality and integrity of data in transit between the user’s browser and the web server. It helps defend against eavesdroppers, and it can provide assurance to the user of the identity of the web server he is dealing with. But it does not stop attacks that directly target the server or client components of an application, as most successful attacks do.Share This: