Tuesday, May 5, 2009

HTTPS = HTTB.S.

Gee!  Here's a Suprise!  Didn't see "that" coming!  You mean to tell me that even "secure" sites within a browser space are really not secure at all?  You know...those ones with the "HTTPS"?  Well, it seems that https is really nothing more than "HTTB.S."

You know...now that I think about it, I thought I had read something about the insecurity of security on the web once, but I can't quite place where, so I'll have to settle with providing you with this latest article...

Oh wait...I just remembered where I read it.  Right here on the PIN Payments News Blog!  Here's the link with the latest story to follow:
eCommerce and Browsers Don't Mix.


Infosecurity 2009: Flaw in https blows hole in ecommerce security
Author: Cliff Saran


A serious flaw in the way ecommerce sites implement secure internet access based though the secure HTTPS protocol could put customers' credit card details at risk

Internet users are aware that they should only give their credit card details to sites that use HTTPS protocol to encrypt the transmission of user details over the internet.

But First Base Technologies has spotted a flaw in the way many web sites use HTTPS, that renders the encryption useless.

According to Peter Wood, chief of operations at First Base Technologies, the flaw allows a hacker to hijack the internet cookies used to manage secure sessions on HTTPS web servers.

"Many websites do not flag the session cookie used by HTTPS as secure," he said speaking at InfoSecurity 2009.

Normally this cookie is used like a pass key to allow the user's browser to send a token to the HTTPS server, rather than requiring authentication every time the server is accessed.

However, Wood's team has found that unless the HTTPS session cookie is flagged "secure", it is transmitted as plain text and can be intercepted by a hacker.

This is not normally a problem for an HTTPS session, but ecommerce sites that present web-based catalogues normally also use HTTP and support multiple browser sessions, allowing the user to log into the web site more than once. When these are combined with an HTTPS session token that has not been flagged as "secure", the hacker can pretend to be a genuine user and access the site using the same token.

Wood warned that the attack could also be used to compromise strong security practices like RSA SecureID, that rely on two-factor authentication.


Wood said, "If you use RSA you have to tell the server to generate secure cookies otherwise a hacker can grab the token using a man in the middle style attack." Once the token has been stolen, the hacker can then access any of the data and applications on the corporate intranet that the user has access to. Moreover, the hacker may be able to reverse engineer the secure token to work out how it was generated, which would compromise the company's two-factor authentication system.


Wood said that the only way web sites can protect users is by ensuring their application developers correctly flag HTTPS cookies as secure.  Editor's Note:  Hey!  That's complete and utter HTTB.S.!  Hackers will always find a way in.  The ONLY WAY Web sites can protect their users by having them conduct financial transactions the way the do in brick and mortar locations.  By swiping, not typing.  OUTSIDE THE BROWSER SPACE.  eCommerce companies would also greatly benefit from "card present" rates on credit cards and True PIN Debit rates, which in many instances are capped.  More Security AND more Profits?  Wow...I gotta learn more about that. 

Oh...and Wood also said he believed hackers were using this flaw to steal internet users' card details. Ya think?




Reblog this post [with Zemanta]

Disqus for ePayment News