Schumer asks Twitter, Yahoo, Amazon to adopt HTTPS

Share this article:

A federal lawmaker is calling on a number of high-profile websites to adopt a more secure web protocol to prevent wireless hackers from hijacking their users' data.

Sen. Chuck Schumer, D-N.Y., announced Monday that he has sent letters to Twitter, Yahoo and Amazon, among others, urging them to replace "HTTP" with "HTTPS," an encrypted protocol that prevents the unauthorized hijacking of private sessions.

"When consumers use your site on the standard HTTP protocol, their activity and data – including sensitive personal information – is vulnerable to monitoring by anyone on their network," the letter said. "That means that a person using one of the increasingly popular public Wi-Fi networks can easily and unwittingly become the victim of malicious hackers."

In January 2010, Google became one of the first major companies to adopt HTTPS across its site, in this case Gmail. A turning point, though, came 10 months later, when a researcher unveiled a Firefox plug-in, known as Firesheep, that permits anyone to scan open Wi-Fi networks and hijack live sessions.

"When a user logs onto Facebook, Amazon, Twitter or any number of other accounts, the username and password are encrypted, but the cookie that the site sets to remember the user is not encrypted as it is sent to that person's computer," Randy Abrams, director of technical education of ESET, explained in the December issue of SC Magazine. "This means that if the user is at their local coffee shop using their open Wi-Fi system and logs onto a website, the cookie can be intercepted by anyone else using the same Wi-Fi network."

In January, Facebook announced that users now can browse the popular social networking site via HTTPS. But many other well-known internet properties have lagged, said Tim Callan, head of marketing for VeriSign Trust Services at Symantec.

"It's a project," Callan told SCMagazineUS.com. "They have more things on their roadmap than they're going to get done. We've seen companies delay this as long as they could. I think we've reached the point now where this has to a top priority for sites."

Many organizations have for some time encrypted their login pages, but once users moved past that entry point, they become susceptible to eavesdropping or man-in-the-middle attacks, Callan said. But thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.

Callan said the timeframe to migrate to HTTPS can run one month to several months, and costs typically run from tens of thousands to hundreds of thousands of dollars, depending on the size of the site.

Representatives at Twitter, Yahoo and Amazon did not immediately respond to a request for comment.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.