Do you need the extra security of HTTPS if your Internet connection is secure?

Tim April 11, 2011

If your home WiFi is totally secure (as secure as you can get it, that is) or if you’re using a physical cable to your router, does using https for, say, Facebook, still make a difference? Just looking for opinions here. :)

  1. James Bruce
    April 13, 2011 at 7:29 am

    Well answered Mike, but I would add that just because your home network is secure from outside attacks, there is always a problem of malware on rogue systems internally. If you have more than one computer/user on your home network, this is a strong possibility. So yes, HTTPS will help in those occasions.

    The other half of me would say chill out, the majority of hacking is done because of user stupidity (such as leaving your laptop logged in to facebook at the coffee shop, or at the library), and not due to malware or packet sniffing.

    • Mike
      April 14, 2011 at 5:49 am

      There are tons of other possibilities too where the hacker doesn't need to be within your LAN or running some MITM attack on a public or ISP level network.

      For example there is an OpenWRT implementation which will pretend to be whatever WiFi Network your computer is trying to connect too. (I don't mention the name on purpose)

      When your computer is set to automatically join known Networks it will broadcast their names and wait for an answer. What this OpenWRT version does is it will answer to any and all those requests with a simple "Yes, I am that network. Join me".
      Long story short, while you think you are at your home network you are actually connected to a hackers bogus WiFi who can then capture and analyse all your Internet requests, plain-text passwords, etc...

      Of course you could detect it via ARP or whatever but I doubt anyone runs IDS on their clients all the time.

      Back to topic: use HTTPS if possible and only trust valid certificates

      • James Bruce
        April 14, 2011 at 5:25 pm

        Thats fascinating mike, thank you. Rest assure I shall be testing out this form of wifi network spoofing attack.

        I'm curious though - if there is an existing network with the same name, surely the device will attempt to join the strongest? So if you were trying it on your neightbour,they would have to come into your house or something for it to be worthwhile, no? Otherwise, any devices they had would automatically join the real network...

        Just thinking out loud here...

  2. Mike
    April 12, 2011 at 6:38 am

    Short answer, yes. HTTPS is a combination of HTTP with SSL (Secure Socket Layer).

    There are two major benefits:

    1. With a valid, not self-signed SSL Certificate you can trust a page. In order to get such a certificate the Domain owner has to register with one of the certificate authorities who then vouch for the legitimacy. It's no guarantee for a site being legit or legal but it's a good sign.

    2. An SSL connection ads a certain layer of security against basic MITM (ARP Poisoning, IP Spoofing, Session Hijacking) attacks. It's not fool-proof but it will secure your passwords from the average "Trolls" scanners.