People's Newsroom


Naturally, as the Web is a distributed system, it depends on underlying network infrastructure and the associated communication protocols. Even though the details of HTTP, the de facto communication protocol of the Web, are well-encapsulated, it still introduces dependencies and peculiarities that influence the Web’s security model in subtle ways. The first effect of the use of HTTP and the associated HTTP scheme comes from the plaintext nature of the protocol. Without additional protection, all data sent to an origin with the HTTP scheme is unprotected once it leaves the browser, enabling network-based attacks, such as eavesdropping or man-in-the-middle attacks. Such attacks can have serious consequences, as user credentials, session identifiers, and personal information is often transmitted from the browser to the server. In response to this insecure practice, HTTPS was introduced, which essentially means running the HTTP protocol over a channel secured by Transport Layer Security (TLS), earlier known as Secure Sockets Layer (SSL). Such a channel offers entity authentication, confidentiality, and data authenticity on the transport level, thereby preventing passive or active network-level attacks.

Even though a TLS connection is initiated at the network level, its effects do influence several important Web concepts, such as the Secure flag for cookies. A common deployment scenario of HTTPS is to offer the application’s main content over HTTP but to switch to HTTPS for submitting sensitive information, such as authentication credentials or payment information. Often, the application reverts back to HTTP once the sensitive information has been submitted, generally sharing the same session for both the HTTP and the HTTPS traffic. Such a deployment scenario subjects the plaintext HTTP traffic to network attackers, leading to attacks such as session hijacking.

A second example of how HTTP and HTTPS are difficult to combine is known as mixed content. Such a scenario occurs when a page is loaded over a secure HTTPS connection, which effectively prevents in-transit tampering on the network, and the page subsequently loads additional resources, such as JavaScript files, over a plaintext HTTP connection. Since these resources can be tampered with on the network level, an attacker can succeed in injecting code in the application’s execution context, allowing him to take control over the application running in the user’s browser.

Back to top button