Introductory security series – How much “SECURITY” HTTP protocol

After a period of struggle, I also completed the first lesson in the Introduction Security series . This article discusses the " security " of the HTTP protocol.

Lazada's website and ACB Bank will be pulled out as an example. Because the article is quite long, you should read it slowly.

Review HTTP

HTTP is a protocol used to transmit data (see more here ). Currently, most data on the Internet is transmitted via HTTP protocol. Web or Mobile applications also call Restful API via HTTP protocol.

However, the disadvantage of HTTP is that data is transmitted in plain text, not encrypted or secure . This leads to the hacker being able to easily eavesdrop, steal and edit data. It is called this attack Man-in-the-middle attack, abbreviated as MITM.

Man-in-the-middle attack profile

Imagine you are flirting with a cute, cute, big-tits, dumb girl named L. To increase romance, you do not text and directly write to her.

Now, you are the client, baby L. is the server, sending mail is HTTP protocol. Of course, beautiful flowers are very much bu. There is a vicious bad guy looking for a way to disturb you, I temporarily call this guy Hoang Hoang.

hotgirl

Search L. broadcast it to Linh Linh clip 18+ always ….

The Yellow King can disrupt you in the following ways:

1. Sniff packet to read data sneakily

You open your letter to the mailbox, wait for the letter to fly to Linh. The letter is on the way, Mr. Hoang catches it, opens the letter to see, knows all the sullen words that you have left your heart to write.

In fact, when you send a username and password via HTTP, the hacker can easily steal this username and password by eavesdropping packets in the network. (You send the 18+ clip, it will also steal the note).

2. Modify the packet

Not only stealing, but Mr. Hoang also can fix your mail. You praised the beautiful Spirit like Maria Ozawa, and it changed into Happy Polla. Linh reply again, appointment to go home at 5pm, it corrected into 5h15.

You still don't know if the letter has been swapped. When it was time to finish reading, at 5:15 pm, when he went to the rest house, he saw the chess guy and Linh walking hand in hand. (H weak physiological, 15p is done, you should sympathize with it).

In fact, hackers can change the content you receive from the server, changing the information displayed on your computer. Both of these cases are quite dangerous because you don't know you're attacked.

mitm_attacks-norton-500x500

This knowledge is extremely basic, many people have already said so I will not explain the technical aspect carefully. You can learn more about the MITM Attack here:

Prevention

The anti-MAIM solution in the LAN is usually by SysAdmin or you specialize in security , through the installation of system settings. As a developer, the most basic defense we can do is to use the HTTPS protocol for the application , by adding an SSL Certificate.

Vietnam web summit
Don't miss the opportunity to attend the biggest programming event in Vietnam: Vietnamwebsummit.com

Data communication over HTTPS has been encrypted so outsiders cannot read or edit it. This is similar to the way you and Linh write each other by teencode, the other chessman does not read the mail nor understand or correct the letter.

While HTTPS security is still not absolute, it is still much higher than using only pure HTTP. Within the scope of the article, I did not learn more about the security bugs of HTTPS, I would like to ask for suggestions.

http-https-explorer-8

In addition, if your site is not yet able to integrate https, you can integrate the login function via Facebook and Google . Although hackers can still steal users' cookies, at least they don't reveal their username and password.

Note

Currently many websites still use "fake https" – only use https on log-in pages and pages with sensitive data. This way of doing is still quite dangerous.

Pre-warning: Currently, I use Fiddler for local demo. However, hackers can do these things when using the same LAN / WLAN with you . Therefore, you need to be very careful when using the wifi temple / public wifi .

  1. I will take Lazada as an example of this "fake".

The login part of this page uses https, so I can't sniff the username and password.

11

21

Data transmitted via SSL has been encrypted so it cannot be "read"

However, other pages of lazada still use http . When a user enters these pages, I can steal cookies, use this cookie to log in as usual.

thirty first

Use Fiddler to read cookies

41

Use EditThisCookie to dump cookies and log in as usual

5

In the old days, when Facebook did not use https, we also used this way to sniff and log into the facebook account of others.

2. This time I will take the ACB Bank website as an example. This site uses HTTPS for the transaction page, but the homepage is still HTTP.

acb

Online banking link leads to online.acb.com.vn

I can fix the packet to lead users to phishing sites.

screen-shot-2016-09-30-at-12-08-24-am-copy

This code changes the HTML content the client receives

fini

The link has been swapped without the client knowing

In some cases, the site uses HTTPS but still downloads images, javascript , css via http. Hackers can still easily edit javascript content, steal cookies as usual. Therefore, Google recommends using https for all pages and links , not letting it look like this.

Conclusion

Currently Chrome is also planning to display HTTP pages that are not safe to alert users. In later versions, you will see "Not secure" in the address bar if the site uses only HTTP.

160909_chrome-1-768x147

The two most important things about HTTP from the article:

  • HTTP is not safe or secure. Absolutely never submit important information (passwords, bank card numbers) via HTTP!
  • Using http to browse the web is like beating a girl without a condom. Many times when the disease dies, it is not always known!

ITZone via toidicodedao

Share the news now