New HTTPS vulnerabilities may expose your data

Researchers at Università Ca’ Foscari Venezia in Venice, Italy, and Tu Wien University in Austria found that more than 10,000 top-level websites using HTTPS are still vulnerable due to cryptographic vulnerabilities.

HTTPS (Hypertext Transfer Protocol Security) replaced HTTP a few years ago and is currently used by most top sites, but it is still not safe. HTTPS should protect users from man-in-the-middle attacks and not allow hackers to access your passwords, history, and other data.

Sarah Madden ( http://sarahmadden.com/ ) [CC0], via Wikimedia Commons

New research shows that some websites that use HTTPS to protect the connection between users and Web servers still expose some user data to hackers. About 5.5% of the 10,000 sites analyzed that use HTTPS uses Transport Layer Security or TLS to encrypt communications were vulnerable.

We discovered TLS vulnerabilities in 5,574 hosts (5.5%):

  • 4,818 vulnerable to MITM
  • 733 vulnerable to full decryption
  • 912 vulnerable to partial decryption

Attackers can use these vulnerabilities to steal information from cookies. An attacker can access almost any data exchanged between the browser and the server. It is worth noting that the 10,000 websites tested also linked to approximately 91,000 domain names. These vulnerabilities may also affect these sites. Of the 10,000 websites, 898 were completely vulnerable and the entire data was found to be compromised. The page integrity of the other 977 websites is very low, which is also a big problem.

When users visit these websites, the green padlock lock for HTTPS will still appear in the address bar. Errors in TLS are hard to detect, but they still exist and may be exploited. Researchers used TLS analysis technology to analyze the top 10,000 websites. They use Alexa’s ranking table to find these sites. The research paper will be presented at the 40th IEEE Security and Privacy Symposium, which will be held in San Francisco in May.