That little green padlock that appears on your browser's address bar looks reassuring. It means the website you're currently visiting uses HTTPS (Hypertext Transfer Protocol Secure) for a secure connection. HTTPS protects you against man-in-the-middle attacks, that ensures no one can see your passwords, search history, and other sensitive content. Almost all popular websites now use HTTPS to encrypt the data between your web browser and web servers it communicates with.
However, new research claims some websites using HTTPS are still leaving their connections exposed. Researchers at Ca' Foscari University of Venice in Italy and Tu Wien in Austria have analysed the top 10,000 websites that use HTTPS and found that nearly 5.5 percent of these are vulnerable to TLS (Transport Layer Security) exploits.
The communication protocol in HTTPS is encrypted using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). Researchers claim that the flaws they've discovered are a result of issues that crop up depending on how websites implement TLS encryption schemes. These websites may have also failed to patch known buds in TLS and SSL.
But when you're visiting such a website, the shiny green padlock will still appear on your browser's address bar. That's how subtle these flaws can be, they're hard to detect. These flaws normally go unnoticed, claim the security researchers who discovered them.
The flaws were discovered by using TLS analysis techniques to crawl and analyze the top 10,000 sites for TLS issues. The researchers picked up these websites from Alexa's ranking of top websites on the Internet.
These security flaws could potentially allow a malicious attacker to decrypt small information such as session cookies, but wouldn't be much useful in extracting something as sensitive as a password.
But there are some more 'leaky' flaws that could potentially allow attackers to decrypt almost all of the Web traffic passing between a browser and a Web server, according to the research paper.
Then there are 'tainted' vulnerabilities that could potentially enable attackers to decrypt and manipulate data being transferred between a browser and a web server. These man-in-the-middle attacks are exactly the reason why HTTPS was put into place.
Researchers claim that all the top 10,000 websites that were tested also include around 91,000 related domains. HTTPS vulnerabilities in these websites could increase the overall number of affected sites.
Vulnerabilities discovered that 898 websites, from the 10,000 total websites they tested, were fully compromisable while 977 websites presented low integrity pages. The full research paper will be presented at the 40th IEEE Symposium on Security and Privacy at San Francisco in May this year.