40 posts remaining…
Just a quick thought for a Friday afternoon. For a while I did informal questionnaires to friends and family and people in general who aren’t hardcore security people about what they type in when they’re going to their bank. The following are the kinds of answers I’d get:
- “I type in www.bank.com.”
- “I type ‘bank’ and hit ctrl-enter”
- “I type in http://www.bank.com”
- “I type in bank.com and hit enter”
But almost never (twice out of dozens of people) I’d hear someone say, “I type in https://www.bank.com” with the “s”. So let’s just for a second think about all the problems with these. Let’s take “bank.com” as an example.
- User types bank.com, which, depending on the browser is being sent on the wire as they type over HTTP for auto-complete
- The browser corrects the URL to be http://bank.com/ and makes a DNS request for “bank.com”
- The DNS server responds with an IP address
- The user makes a request to bank.com’s IP address over HTTP
- bank.com responds in unencrypted HTTP to the user’s browser and informs them that they should be speaking with www.bank.com, and redirects them there via a 301 or 302 redirect
- User’s browser makes another DNS request for www.bank.com
- DNS server responds with www.bank.com’s IP address
- Browser makes an HTTP connection to www.bank.com
- www.bank.com realizes that the user is connecting via HTTP and uses another redirect to send the user to https://www.bank.com (or often has a link on the page, asking the user to click it to log in which will take the user to HTTPS)
- User’s browser re-connects to port 443 and begins negotiating - and at this point is encrypted (hopefully using strong crypto and there are no other issues…)
There’s a lot of places there than an attacker can get in the middle and mess things up. And sadly, this isn’t even close to everything wrong in real life. So while HTTPS is a good idea, in practice how people tend to get there is pretty flawed. The promise of STS, HTTPS everywhere and some of the settings within NoScript and so on… was to take that out of the user’s hands. Not that these aren’t all good ideas, but there are usability issues, and require that the user be somewhat informed of the issues in most cases - which they don’t tend to be.