How secure is the HTTP protocol?

After a hard time, I also completed the first lesson in the introductory security series. This article will discuss the “security” of the HTTP protocol.

The website of Lazada (e-Commerce) and ACB Bank ( Banking) in VietNam will be pulled as an example. Because the article is quite long, please slowly read it.

Review on HTTP

HTTP is a protocol used to transmit data (See more here). Currently, most of the data on the Internet is sent via HTTP. Web or mobile applications also call the Restful API over HTTP.

However, the downside of HTTP is that data is transmitted in plain text, not encrypted or secure. This makes it easier for hackers to eavesdrop on, steal, and edit data. They call this type of attack Man-in-the-middle attack, abbreviated MITM.

Man-in-the-middle attack overview

Imagine you are flirting with a cute girl with cute big tits face named A. To increase the romance, you do not use text but directly write to her.

At this time, you are a client, A is a server, sending mail is the HTTP protocol. Naturally, beautiful flowers are very bu. There is an ugly, nasty hacker who tries to disrupt you, let’s call this guy B.

B can harass you in the following ways:

1. Sniff packet to read data

You eagerly put the letter into the mailbox, waiting for the message to A. The news was on its way, Hoang caught it, opened the letter to see, knew all the inconsolable sentiments that he exhausted his heart to write.

When you send a username and password via HTTP, hackers can easily steal this username and password by sneaking packets on the network. (You sent the 18+ clip, it also took it).

2. Modify the packet

Not only can eavesdropping, but B can also correct your mail. You praise A as beautiful as Maria Ozawa; then, it changes to Happy Polla. A reply back, the appointment you go to the hotel at 5 am then it turns to 5:15.

You still do not know the message has been fraudulently exchanged anything. By the time I finished reading, at 5:15 am going to the motel, I saw the flag guy and Linh hand in hand. (He has weak physiology, so 15p is complete, you should sympathize with it.)

A hacker can change the content you receive from the server, altering the information displayed on your computer. Both cases are quite dangerous because you do not know you were attacked.

Prevention

Anti-MITM solutions on LANs are usually taken care of by SysAdmin or security professionals, through system setup. As a developer, the most basic defense we can do is to use the HTTPS protocol for the application by adding an SSL Certificate.

Data communicated over HTTPS is encrypted so that outsiders cannot read it or edit it. This is similar to the way you and A write each other with teen code, the other guy who has eavesdropped on the mail doesn’t understand or edit the letter.

While the security of HTTPS is not absolute, it is still much higher than pure HTTP. Within the scope of this article, I do not learn more about the security flaws of HTTPS, hope the pro to comment.

Also, if your website does not have https integration, you can integrate the login function through Facebook, Google. While hackers can still steal a user’s cookies, they are not exposed at least by the username and password.

Note
Currently, many websites still use “fake https” — only use https at login pages and pages with sensitive data. This approach still exists quite a lot of danger.

Warning: Currently, I use Fiddler to demo locally. However, hackers can do this by sharing LAN / WLAN with you. Therefore, be very careful when using public wifi/temple wifi.

  1. I will use Lazada as an example of this “fake.”
    The login part of this page uses https, so I can’t sniff the username and password.
Data transmitted via SSL is encrypted so it cannot be “eavesdropped.”

However, other Lazada sites still use HTTP. When users visit these sites, they can steal cookies, use this cookie to log infrequently.

Use Fiddler to eavesdrop on cookies, use EditThisCookie to dump cookies, and log in as usual.

In the past, when Facebook didn’t use https, we used this method to sniff and log into other people’s Facebook accounts.

2. This time, I will take the ACB Bank website as an example. This page uses HTTPS for the transaction page, but the homepage is still HTTP.

Link online banking leads to online.acb.com.vn.

I can edit the packet to direct users to the phishing site.

This code changes the HTML content that the client receives the link has been exchanged without the client knowing.

In some other cases, the site uses HTTPS but still downloads images, javascript, CSS via HTTP. Hackers can even quickly fix javascript content and steal cookies as usual. Therefore, Google recommends using https for all pages and links, not to be fake.

Conclusion

Chrome is currently planning to market HTTP pages as unsafe to alert users. In later versions, you will see the word “Not secure” in the address bar if the site only uses HTTP.

The two most important things about HTTP come from the article:

  • HTTP is not secure or secure. Never submit important information (passwords, bank card numbers) via HTTP!
  • Using HTTP to browse the web is the same as f* girl without a condom. Sometimes dead patients always do not know!

Always be nice to anybody who has access to my toothbrush.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store