HTTPS is everywhere you look. Most social media sites use it, YouTube uses it, it’s a basic protocol for secure email, and any website that takes a credit card uses it as a bare minimum. And unfortunately, researchers have just breached it in a method so simple that any idiot can do it.
What Is HTTPS?
HTTPS is short for Hyper-Text Transfer Protocol over TLS. The first part, HTTP, is the “language” computers speak to each other to trade information and pop up websites. TLS is “Transport Layer Security,” which creates an encrypted channel between two computers so they can communicate with a minimum of problems. The computers trade cryptographic keys to communicate, and without the key, you can’t read what they’re saying.
HTTPS is largely used to prevent “man-in-the-middle” hacks. As the name implies, the idea behind the hack is that instead of being connected to the computer you’re looking for, say, Facebook’s servers, instead you’re connected to a hacker’s computer and then to Facebook. Done correctly, you’d never know, and anything punched into your computer would be visible. It also helps to prevent tampering with communications and forgery and offers general privacy protections, at least from hackers.
HTTPS is far from perfect. Unless every page of a site you visit is encrypted, it’s vulnerable, and even then HTTPS can be hijacked or intercepted. So the new breach, called HEIST, is particularly worrying.
What Is HEIST?
HEIST, a technique developed by researchers at the University of Leuven, exploits the deep bones of the internet, the transmission control protocol. That is, more or less, how the internet decides to send messages. The researchers noticed that if a hacker monitors how TCP is used on a website, by uploading a simple Javascript code on a page, they can make an educated guess as to which messages it’s sending to “secure” pages. From there, they can use the compression exploits to crack open the traffic. Most website visitors likely wouldn’t even notice what was happening. But if you went to an unsecured site and then to one where you punched in your Social Security number, a hacker could easily figure that out and start taking out credit cards in your name.
The big issue here is that there doesn’t have to be a man in the middle, thus dodging the method HTTPS uses to stop attacks in the first place. This opens up everything from passwords to your personal accounts to your credit card numbers to any other personal data you might happen to share while you’re online. So what can you do to stop it?
How Can You Protect Yourself?
Protecting yourself online is fairly straightforward, fortunately. The researchers have noted that if you disable little pieces of code websites deposit on your browser, called cookies, it defangs any compression attacks. Hackers might still be able to guess which secure pages you’re visiting, but they won’t be able to get around your security. Granted, disabling cookies will mean that some sites won’t work, and others will only work in part, but it’s an easy thing to do, whether you’re on Chrome, Firefox, Safari or Edge. The researchers have also privately briefed Microsoft and Google about the issue, so their security techs are hard at work fixing it.
Beyond that, it’s best to go with your common sense when online. These are technically complex attacks largely only capable of being executed by advanced criminals; your average Eastern Bloc credit-card thief is more likely to just keep sending out emails claiming to be from Bank of America. Before doing banking or online shopping, shut down your browser and open a new window. If a site looks fishy, don’t buy anything from it. And if something seems like it’s wrong, it’s better to back away and come back later.