Two misconceptions about HTTPS

17 Aug

Although HTTPS is the default protocol to secure websites and web services, it seems that it is often badly understood. These are two points which often crop up in forums.

Using a self signed certificate for production.

People often ask how to disable the certificate checks on iOS or android in order to use self signed certificates. By using a self signed certificate you keep the encryption, but you lose the ability to check whether the server you are talking to is the same as the one who owns the certificate. In other words your client doesn’t know for sure who it is talking to. This makes it susceptible to a man in the middle attack which allows a third party to read all traffic unencrypted.
One way to this would be by tricking the client into connecting to a different server with a different self signed certificate using the same domain name. This is possible because everyone can make a self signed certificate with your domain name. The DNS entry can be faked locally so the client obtains a different IP address when querying the domain name.
The fake server would work as a proxy towards the real server. The client thinks it is talking to the real server, and the server thinks it is talking to a genuine client. But the proxy will have access to all the traffic unencrypted.
A real SSL certificate would not have allowed this. The client would never connect with the proxy because its certificate does not contain a certificate chain, and thus no proof of identity.
When securing something, it is often all or nothing. Buying a lock for your door does nothing to prevent people from entering through an unprotected window.
You can get an SSL certificate for less than $10. Security should be at least worth $10.

Is the query string encrypted on HTTPS?

Sometimes people are advised to use a POST instead of a GET because of the claim that the query string would be sent unencrypted. This is of course a false statement. Since the query string and the HTTP headers are part of the HTTP payload, they are sent encrypted over the SSL connection. There is no reason to use a POST when the query string of a GET would be more appropriate, both are encrypted.
The only things you leak when using HTTPS is the DNS lookup in case the address is not cached yet, and the IP address and PORT of the destination.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: