Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 1

So you think HTTPS is safe?

After all the recent security scandals, I think it’s time to explain how the most common security

mechanism on the network works.

It was 11:23pm, my wife was checking the latest merchandize on yet another online shopping site,

when suddenly I heard her voice: “Hey this one has no HTTPS!”.

She knows better not to order from non-secure sites. But then again, what if it had HTTPS? Is it safe?

First thing first, what is HTTPS?

https

HTTPS is HTTP protocol with SSL (short for Secure Sockets Layer). Until a few years ago, HTTPS

protocol was common especially in Enterprises, and/or other boring sites.Things have changed, and

more and more sites use HTTPS as their default protocol: Google, Twitter, Facebook and more.

There are several reasons why the change occurs:

One. HTTPS is "compatible" to HTTP and does not require (in theory) code changes to go through it.

Two. Hardware becomes more powerful, and the overhead of working in HTTPS is no longer significant.

Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 2

Three. Growing awareness of privacy and network security.

After exposing the NSA's surveillance, the internet organization proposed to encrypt all network traffic

in HTTPS.

Google and some large companies began to replace the asymmetric encryption keys of their HTTPS

from 512bit/1024bit to 2048bit. Some of these technology companies previously collaborated with the

NSA revealing users information, now are trying to show the change in direction occurred in policy

towards the authorities and the benefit of users.

Is SSL protocol completely protected? No.

For example, the U.S. government law (like other governments) restricts the size of the keys that can

be used for encryption. Larger Key = more difficult to decipher. It is believed that the U.S. government

adjusts the law to allow individuals and companies to defend against civilians and other companies, but

does not defend against supercomputers of the NSA or the FBI. Currently the law in the United States

(to my knowledge) limits the size of the symmetric encryption keys to 256bit and to 2048bit for non-

symmetrical. Could the large computing enterprises (Amazon, Google, Microsoft, as well as smaller

organizations) decode such encryptions in a reasonable time? Almost certain they could.

Could HTTPS be hacked in generic form? Probably yes, although it has not happened yet.

On top of that, there is also a bug in the SSL protocol itself. Recent famous attacks based on these bugs

are called ‘BEAST’ and ‘CRIME’, and up to this moment, a big part of the Internet users is still exposed

to them because many web servers are not updated and still work with older versions of SSL. On the

other hand, these attacks are quite complex to implement. However, this does not mean that I would

not prefer that my e-mail or website services that deal with my own money work with the latest

security protocol versions…

And there are also rumors…that the NSA experts "pushed" sophisticated bugs into the security

protocols, so that they can take advantage of them in the future.

Happy shopping…

Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 3

About TotalDefense:

Total Defense(@Total_Defense) is a global leader in malware detection and anti-crimeware solutions. We offer a broad portfolio of leading security products for the consumer market used by over four million consumers worldwide. Our solutions also include the industry’s first complete cloud security platform, providing fully integrated endpoint, web and email security through a single Web-based management console with a single set of enforceable security policies

Total Defense is a former business of CA Technologies, one of the largest software companies in the world, and has operations in New York, California, Europe, Israel and Asia.

Visit http://www.totaldefense.com/ for web, cloud & mobile security solutions for home users and businesses.