You might remember that we have repeatedly written articles detailing how HTTPS (otherwise known as secure web browsing) is not really as secure as it seems. Last fall, two security researchers demonstrated a program they called BEAST that allows hackers to gain access to restricted user accounts. Then another researcher created a program called CRIME, which was even worse than BEAST. Even USA Today has written about how HTTPS is not safe.
Well, guess what: now Cornell researchers have determined that HTTPS does not prevent third parties from figuring out which secure websites you are visiting.
The supposedly secure walls around HTTPS are crumbling quickly.
A Quick Review of HTTPS
Online retailers and banks use secure websites – known as HTTPS, which is short for Hypertext Transfer Protocol Secure – to provide secure transactions. Have you ever seen a small lock symbol next to the URL of a website? This indicates that the website is secure.
The technology behind HTTPS is called SSL, or Secure Sockets Layer. SSL creates an encrypted link between the website and your browser which is supposed to ensure that the data passed between you and the website remains private.
The problem is that it is notoriously easy to figure out how to bypass this encryption. Last year, Internet security researchers demonstrated that they could access a user’s login ID cookies, because these were not encrypted. With this login information, a hacker could quickly and easily access the user’s account. Up to 90% of websites using HTTPS were not encrypting their session ID cookies, and were susceptible to this kind of attack.
New Vulnerabilities to HTTPS
Recently, researchers at Cornell published an academic paper entitled I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis that details a weakness in HTTPS. Exploiting this deficiency, the researchers were able to figure out the identity of the secure web pages that users were accessing.
What this means? ISPs, employers, or governments could figure out with a high degree of certainty what page someone accessed on the Internet and can thus, learn more about YOU. In a nutshell, the “secure” websites you are visiting are really not that secure at all.
How They Did It
The Cornell researchers were able to carefully analyze encrypted traffic from secure websites and note subtle differences in the contents. By analyzing this content, they were able to figure out, with an 89% success rate, the specific web page the user was accessing.
The researchers used ten websites, including the ACLU, Bank of America, Kaiser Permanente, Legal Zoom, the Mayo Clinic, Netflix, Planned Parenthood, Vanguard, Wells Fargo, and YouTube. They measured the characteristics of each URL first, and then used these characteristics to help determine the webs pages of the encrypted web sessions.
Why This is Important
If you are concerned about privacy, then this HTTPS vulnerability should matter to you. It could be used by an employer to infer if an employee is planning to get pregnant, or by a government to know if a citizen is viewing banned material.
It’s also a good reminder that HTTPS is not that safe, and if you are looking to ensure that what you do online remains private, that you should use a VPN like PRIVATE WiFi to ensure that what you do online cannot be accessed by others.