The title of this post is a question sent to XSS by reader after this blog covered the removal of Superfish two weeks ago.
Other readers sent in questions related to the topic of SSL connections and Man-in-the-Middle attacks, all hinging on the same premise – how can the average person, someone who isn't technical – tell if their connection has been altered?
Unless you're familiar with the topic and the technology involved, SSL / TLS is a complex subject that's hard to explain. The basic thing you need to remember is that SSL / TLS is what turns HTTP into HTTPS in the browser's address bar.
In order to keep things simple, this post will describe the difference between HTTP and HTTPS connections, as well as what it means to you as you're browsing the Web. After that, we're going to talk about things that can impact HTTPS (e.g. Man-in-the-Middle attacks), and how in some cases you can visually detect potential problems. We'll deal with each topic on a separate page.
What is HTTP?
HTTP, or Hypertext Transfer Protocol, describes the basic level of connection you use when you visit a website. For example, right now you're reading XSS on a HTTP connection.
HTTP connections are insecure, so data is transmitted in the clear. Anyone monitoring your connection can see anything you send to a given website, as well as anything that website sends you.
Specifically, if you submit a letter via a contact form on a website using HTTP, then someone monitoring your connection can see the letter as well. And again, the reverse is also true. This is why most security experts and privacy advocates push for HTTPS. The S in this case, stands for secure.
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is a step up from HTTP.
It's a secure connection between your browser and a website on the Internet. In this case, if you were using HTTPS, then the letter you sent in the previous example should be protected – preventing the person monitoring your connection from viewing it. Likewise, HTTPS will also prevent them from seeing data that the website sends you.
However, HTTPS isn't perfect, and there are ways to get around it. This is what happened with Superfish; Lenovo's pre-installed software created a way for someone to bypass the protections offered by HTTPS – something that should never happen.
Can you give me a different example of how HTTP and HTTPS work?
Sure. Imagine you're standing in your bank's lobby and want to discuss your account.
In order for this to happen, you need to authorize yourself to the teller, which first requires you to give them your name, account number, and a phrase that proves you're who you say you are. Let's say this phrase is "pink puppies" and let's call it a password.
With HTTP, you simply stand in the lobby; and on a slip of paper write down your name, followed by your account number, the phrase pink puppies, and a set of instructions for the teller.
At this point, you pass the paper to the person ahead of you, who will in turn pass it to the person in front of them, until it eventually reaches the teller – six people away.
This method of authorization and communication with the teller accomplishes your goal of conducting business at the bank, but now the other people in the lobby – including Criminal Bobby – know how to access your account. Later, they can pretend to be you if they wanted. This is something people generally wish to avoid when it comes to financial matters.
With HTTPS, you'd essentially do the same thing.
However, this time the slip of paper is covered with a layer of random text and words that only the teller can remove. As you pass the slip forward; everyone can see the paper, everyone knows what that paper contains and what it represents, but no one – including Criminal Bobby – can read it. The only person that can access the data on the paper is the teller.
This is an overly simple explanation of HTTP vs. HTTPS, but that's how it works in a nutshell.
Note: To be fair, in real world settings, a true Man-in-the-Middle attack means that any one of the six people in line could have injected their own content into the note during the transaction. As the note returns to you, someone along the line could make changes as well, altering the teller's response, which is exactly what happened consumers impacted by Superfish.
Next, we'll explore the concepts of Man-in-the-Middle attacks