Are all HTTPS sites secure? The whole Truth...

Not all sites on the web are equal when it comes to security.?

You've probably heard this statement before...

"HTTPS sites with padlocks are always safer than HTTP sites."

This is true, yes. But it’s not the whole truth. Don’t get me wrong, HTTPS signifies a site is secure. The problem is that these days, attackers are using this HTTPS technology as a cover to infect networks with malware.

A 2023 report by Zscaler showed that encrypted malware and malicious content were a top threat, making up 78% of observed attacks.

Keep reading as I explain how HTTPS works, how threat actors are using it in modern attacks and how to protect your information.

What is HTTPS and HTTP?

HTTP stands for Hypertext Transfer Protocol while HTTPS stands for Hypertext Transfer Protocol Secure.?

To understand the latter we need to know what HTTP is. Hypertext Transfer Protocol (HTTP) is an internet protocol that makes it possible for your web browser to communicate with websites.

Web browsers are search engines like Google Chrome, Firefox and Safari. Websites are not stored on the web browsers themselves but on remote servers that deliver requested content from an organization to a user.

If there was no order in how data flowed from one endpoint to the other, chaos would reign. This is why the HTTP protocol was created. To serve as a standard that says “Hey web browser when you're sending a user data to a server you must format it like this so different endpoints can understand each other.”

The difference between HTTP AND HTTPS

At first glance, it seems the only difference between HTTP and HTTPS is the new “s” addition.?

This "s" is a big deal. It stands for SSL with the full meaning being Secure Socket Layer. However these days, SSL has been replaced with Transport Layer Security (TLS). Most mentions of it still call it SSL or SSL/TLS.

Now back to what SSL/TLS does. This technology encrypts any information you type into a browser so hackers or middlemen cannot intercept the traffic as it goes from your device (a client) to the website backend (a server)?

With HTTPS, the information you enter into a website that goes to the website's backend (web server), is encrypted. This means attackers trying to intercept communication won’t be able to.

Whereas with simple HTTP, they can not only intercept traffic but also change its contents in transition.

How do you get the HTTPS section in a website URL?

For websites to get HTTPS attached to their URL, they have to buy it along with a domain name from domain name registrars. This is how the process looks.??

Step 1: Go to a domain name registrar like GoDaddy or Namecheap?

Step 2: Pick a domain name and add it to the cart

Step 3: Once you add it to the cart, you’ll see some additional features you can purchase with your domain name. One of these features is an SSL certificate.

An SSL certificate is needed for SSL to work. It is what enables websites to use HTTPS. They contain the website's public key and identity.?

A?public key is used as a form of identity verification in conjunction with a website's private key to ensure the website owner is truly how they say they are. This is how it works...

Say Mary wants to visit a website called Gogolamb. When Mary visits the website, her Google Chrome browser checks if that site's SSL certificate is valid. Her browser is called the client in this client-server relationship and checks the following:

• Validity: The certificate is still valid and has not expired.
• Chain of Trust: The certificate is signed by a trusted Certificate Authority. The client checks the CA's signature against its list of trusted CAs on the browser.
• Domain Matching: The certificate's common name (CN) or subject alternative name (secondary domain name) matches the domain the client is trying to reach.

Once the website has been vetted, the browser is sure the site is secure.

The SSL cert means a site's owner and identity have been verified by trusted 3rd parties. This then gives way to SSL's second function, which is to encrypt interactions between the client (you) and the server (website server).

Therefore, Authentication gives way to encryption.?

With all these checks, how are attackers still able to infiltrate sites?

How Attackers Obtain SSL Certificates

Website owners need to validate who they are to collect an SSL certificate from a 3rd party. Only after this is HTTPS enabled.

So how do attackers infiltrate these verification process??

1. Malicious code injection: Attackers exploit vulnerabilities and inject malicious code on a site so users download a virus or other form of malware.

2. Less stringent certificate providers: These certificate providers offer SSL certs at lower costs and do not validate the users. They perform minimal checks to verify ownership of a domain. Cybercriminals often use these providers to obtain domain names and SSL certificates.

3. Domain shadowing: Where attackers pretend to be a sub-domain under a reputable domain and are automatically given a certificate as well as trust. They accomplish this by stealing the login credentials of the domain owner and stealthily registering additional secondary domains while using techniques to avoid detection.

Why do they use HTTPS to spread Malware??

They use this HTTPS protocol because ordinary antivirus, Intrusion detection, and firewalls cannot inspect or look at this encrypted traffic flow. They hide their malware payload within the traffic stream and it passes innocently to its intended destination.

How Tommy infected his device and his corporate network

An SSL-encrypted website has a virus on it. Tommy visits the websites and clicks a link offering him a discount on pink office tables. From there he types in his credit card details on the site and purchases the so-called table.

Tommy does not know the "trusted" site he visited is fake and was set up to harvest user details. Plus the link he clicked had backdoor malware on it. This encrypted malware traveled cozily into his corporate network from his device. ?

The thing about HTTPS is that it works towards keeping your communication secure. It doesn't mean the site itself does not have malicious content on it.

How do organizations defend themselves against encrypted malware traffic??

One of the key ways organizations can guard themselves against encrypted malware traffic is to use Next Generation Firewalls with SSL deep inspection features as well as web filtering.

Deep packet inspection means the firewall scans the content of the encrypted traffic by decrypting it, checking the content of the payload, and then re-encrypting it back before sending it to its intended destination.

This protects company networks from attacks that use SSL as a cover to avoid detection.

How do everyday users defend against encrypted malware traffic??

If you're just an everyday internet user who may not be able to afford such a firewall or keep up with its complex configurations, there are other tactics you can use to protect your information;

1. Google enhanced browsing and domain reputation check: This feature will warn you about dangerous suspected phishing sites as you visit them so you can take a step back.?When you visit a site Google checks its updated lists of unsafe sites and warns you.

2. Verify the URL of websites when you visit them: Some attackers may misspell popular domain names – Netflix and Netfilix – to get you to visit the site and click suspicious links.?

3. Enable 2FA: This way, even if sites capture your user login credentials or card details, they won’t be able to finish the job without the code sent to your device.?

4. Antivirus: Your antivirus is not useless as it can still perform post-infection scans and remove the virus if it gets into your system.?

Your information matters

The main purpose of this article is to inform you of the dangers that threaten your internet privacy and security.

If I could summarise this whole article, I would say 2 things.

--> Never visit HTTP sites. If website owners don't care enough to make their site safe, they don't deserve visitors.

--> Ensure you always visit the correct HTTPS site, enable 2FA, and Get a good antivirus tool to protect against HTTPS-encrypted malware traffic.

Stay safe.

If you know any other ways to defend against these modern day HTTPS attacks, feel free to share them in the comments below