01.03.14

So you think HTTPS is safe?

After all the recent security scandals, I think it’s time to explain how the most common security mechanism on the network works.

It was 11:23pm, my wife was checking the latest merchandize on yet another online shopping site, when suddenly I heard her voice: “Hey this one has no HTTPS!”.

She knows better not to order from non-secure sites. But then again, what if it had HTTPS? Is it safe? First thing first, what is HTTPS?

HTTPS is HTTP protocol with SSL (short for Secure Sockets Layer). Until a few years ago, HTTPS protocol was common especially in Enterprises, and/or other boring sites.Things have changed, and more and more sites use HTTPS as their default protocol: Google, Twitter, Facebook and more.

There are several reasons why the change occurs:

One. HTTPS is “compatible” to HTTP and does not require (in theory) code changes to go through it.

Two. Hardware becomes more powerful, and the overhead of working in HTTPS is no longer significant.

Three. Growing awareness of privacy and network security.

After exposing the NSA’s surveillance, the internet organization proposed to encrypt all network traffic in HTTPS.

Google and some large companies began to replace the asymmetric encryption keys of their HTTPS from 512bit/1024bit to 2048bit. Some of these technology companies previously collaborated with the NSA revealing users information, now are trying to show the change in direction occurred in policy towards the authorities and the benefit of users.

Is SSL protocol completely protected? No.
For example, the U.S. government law (like other governments) restricts the size of the keys that can be used for encryption. Larger Key = more difficult to decipher. It is believed that the U.S. government adjusts the law to allow individuals and companies to defend against civilians and other companies, but does not defend against supercomputers of the NSA or the FBI. Currently the law in the United States (to my knowledge) limits the size of the symmetric encryption keys to 256bit and to 2048bit for non-symmetrical. Could the large computing enterprises (Amazon, Google, Microsoft, as well as smaller organizations) decode such encryptions in a reasonable time? Almost certain they could.

Could HTTPS be hacked in generic form? Probably yes, although it has not happened yet.

On top of that, there is also a bug in the SSL protocol itself. Recent famous attacks based on these bugs are called ‘BEAST’ and ‘CRIME’, and up to this moment, a big part of the Internet users is still exposed to them because many web servers are not updated and still work with older versions of SSL. On the other hand, these attacks are quite complex to implement. However, this does not mean that I would not prefer that my e-mail or website services that deal with my own money work with the latest security protocol versions…

And there are also rumors…that the NSA experts “pushed” sophisticated bugs into the security protocols, so that they can take advantage of them in the future.

Happy shopping…