Simply turning on HTTPS does not secure your web application

The privacy scares and increase in hacking attacks over the last few years have significantly improved HTTPS adoption. Between the need to show users that the application is secure and the need to comply with standards such as PCI-DSS, HTTPS adoption has pretty much broken the roof. In addition, Google's move to list sites using HTTPS higher on search results and the availability of easy to use tools to enable HTTPS has also helped.

This increase in HTTPS enabled sites is a very good sign for Internet security. Web traffic can no longer be sniffed to find out exactly what is being transacted – usernames and passwords are encrypted, as are the various actions of the users of the sites. Users can check the site’s certificate to ensure that it is valid, and browsers now warn users of security problems when connecting to the sites. Unfortunately, in the rush to enable HTTPS on their websites, organizations have bought into some misconceptions – and one has been brought to light over the last few weeks.

Troy Hunt, a well-known security expert, published a blog post where he called out two online retailers for leaking sensitive user data. One of the retailers had enabled a special “feature” on their website. If an email address was submitted at checkout, while not logged in, the website still presented all the shipping details related to that account. Theoretically, this meant that anyone could submit any email address, and if it existed on the website, all the shipping information (including mobile numbers) would be displayed!

When contacted regarding this issue, the e-retailer responded –

The last statement – data encrypted SSL cannot be intercepted by anyone – is largely true. But that is only when that person is eavesdropping on the connection between the user and the server. If that someone were to simply connect to the site with a web browser, and type in a valid email address, the details can be harvested with little trouble. In fact, it is much easier for them to just find the email address of the victim and use it to collect all the data they need!

The privacy implications of this “feature” are quite scary. It leaks user’s data very simply, without any “hacking”. Setting that aside, the misconception that turning on HTTPS alone protects the site and its users is even scarier. HTTPS only secures against eavesdropping by encrypting the traffic. It cannot protect against misconfigurations of this type. The feature may make the site easier to use, but that should have been balanced against the privacy implications and authentication should have been enabled.

User privacy implications aside, the website should have also looked at other business-impacting possibilities. A competitor could have automatically run a list of email addresses against the site, scraped all the user data, and used it for an advertising campaign. Further, the site could have broken privacy laws in their jurisdiction, leaving them open to legal action.

HTTPS adoption is a requirement for all websites and applications on the Internet today. In a time where the conversation on user privacy and data theft is front and center, it allows websites to provide easy security against many attacks and secures their users with ease. However, it is not a panacea for all types of attacks. Web application owners and users should educate themselves on the basics of web security and ensure that they are protected always.

Securing your web application need not be difficult. The Barracuda Web Application Firewall exists to secure your web applications easily and provide you with peace of mind. Once you deploy the Barracuda Web Application Firewall in front of your web application, it is trivially easy to setup a HTTPS front end and enable complete application security. The Barracuda Web Application Firewall provides complete security against all web attacks, including DDoS and Web Scraping. We offer several deployment options, including physical and virtual appliances, and Azure, AWS, and vCloud Air. Try it in your environment for 30 days, risk-free.

Earlier this year we announced the release of the Barracuda Vulnerability Manager. This is a tool that is used to assess vulnerabilities in websites and applications, and is easily integrated with the Barracuda Web Application Firewall. It is available to Barracuda customers and authorized resellers at no cost for a limited time. Try it today via Barracuda Cloud Control.

---

Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.