Secure web connections under threat

We are heavily reliant on secure web (HTTPS) connections. They protect our online purchasing, verify app downloads and their updates, and keep our private information from prying eyes. Or so we like to think. Recent figures show that about half of all our page loads now use HTTPS, including the whole of this article, and the rest of my blog here.

HTTPS and its underlying security – originally SSL, now TLS – have had their worrying moments, to be sure. These have centred on vulnerabilities in the protocols used, which have been progressively addressed, although there is always that uncertainty as to whether the server to which you connect is running the latest, less vulnerable versions.

It is also a boon when you need to conduct any confidential or business exchange over a public network, such as when using public-access WiFi systems. Short of going over to full VPN (which many now do), it is the most popular way of keeping eavesdroppers out of your online activities. Or so we thought.

Two presentations at next week’s Black Hat security conference in Las Vegas should make us think again about the trust which we put in HTTPS, as reported by Ars Technica.

The first may not at first seem a great deal: Itzik Kotler and Amit Klein have shown that traffic restricted to using HTTPS, as you might when using public-access networks, can still reveal the URLs to which you connect, although the data transferred remains secure. This threat is greatest when you’re using DHCP, which is also most likely when using a public access point, which can readily be subverted to reveal the entire connection URL in plain text.

Unfortunately not all HTTPS servers are as discrete as they should be when making connections, and some of the comments to Ars Technica’s article reveal that it is not unusual for the connection process to leak the user name and even the associated password. That should not happen, of course, but it does.

The second relevant talk at the Black Hat conference, by Maxim Goncharov, reveals ways of exploiting WPAD, web proxy autodiscovery, as a result of its inherent weaknesses. Those can be worked around when browsers go out of their way to work with host names rather than complete URLs, but that is by no means universal practice.

The take-home message from these is not to rely on HTTPS when your communications could be intercepted: if you use public access points, then a good VPN is required if you want the full protection of secure connections. You cannot configure your browser to block all the exploits, and it is not likely to give you any indication that URLs or more details have been leaked either. You will still see the normal padlock icon indicating that a secure connection has been made.

And there’s more to come too. HTTPS is not normally considered as providing ‘end-to-end’ encryption, because it operates between client and server, rather than two communicating clients. The UK government’s stated intent with its Investigatory Powers (IP) Bill, currently nearing the end of its progress into legislation, is not to ban encryption, but to give law-enforcement and security agencies access to the content of any encrypted communications they wish.

From all that has happened, I think that we can safely assume that no one in government has the slightest clue as to what HTTPS or TLS are, nor how they protect communications in a way that denies others access to their content. Together with VPN systems, they are bound to be an early target for ‘technical measures’ required by the Home Secretary. It is well known that many serious criminals, paedophiles, and potential terrorists use HTTPS and VPN connections to communicate with systems outside the UK, which are unlikely to be accessible even with the Bill’s intended global reach.

Although there are potential ‘technical measures’ which service providers could implement to aid the UK government’s campaign to remove all privacy, the most effective are likely to be officially-driven exploitations of vulnerabilities such as those to be reported next week. Under the procedures which the IP Bill will establish, such hacks would be legal, and conducted in total secrecy.

The IP Bill should prove a great way to destroy any remaining trust that the citizens of the UK might have had in their government.