March 01, 2011

Schumer asks Twitter, Yahoo, Amazon to adopt HTTPS

A federal lawmaker is calling on a number of high-profile websites to adopt a more secure web protocol to prevent wireless hackers from hijacking their users' data.

Sen. Chuck Schumer, D-N.Y., announced Monday that he has sent letters to Twitter, Yahoo and Amazon, among others, urging them to replace "HTTP" with "HTTPS," an encrypted protocol that prevents the unauthorized hijacking of private sessions.

"When consumers use your site on the standard HTTP protocol, their activity and data – including sensitive personal information – is vulnerable to monitoring by anyone on their network," the letter said. "That means that a person using one of the increasingly popular public Wi-Fi networks can easily and unwittingly become the victim of malicious hackers."

In January 2010, Google became one of the first major companies to adopt HTTPS across its site, in this case Gmail. A turning point, though, came 10 months later, when a researcher unveiled a Firefox plug-in, known as Firesheep, that permits anyone to scan open Wi-Fi networks and hijack live sessions.

"When a user logs onto Facebook, Amazon, Twitter or any number of other accounts, the username and password are encrypted, but the cookie that the site sets to remember the user is not encrypted as it is sent to that person's computer," Randy Abrams, director of technical education of ESET, explained in the December issue of SC Magazine. "This means that if the user is at their local coffee shop using their open Wi-Fi system and logs onto a website, the cookie can be intercepted by anyone else using the same Wi-Fi network."

In January, Facebook announced that users now can browse the popular social networking site via HTTPS. But many other well-known internet properties have lagged, said Tim Callan, head of marketing for VeriSign Trust Services at Symantec.

"It's a project," Callan told SCMagazineUS.com. "They have more things on their roadmap than they're going to get done. We've seen companies delay this as long as they could. I think we've reached the point now where this has to a top priority for sites."

Many organizations have for some time encrypted their login pages, but once users moved past that entry point, they become susceptible to eavesdropping or man-in-the-middle attacks, Callan said. But thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.

Callan said the timeframe to migrate to HTTPS can run one month to several months, and costs typically run from tens of thousands to hundreds of thousands of dollars, depending on the size of the site.

Representatives at Twitter, Yahoo and Amazon did not immediately respond to a request for comment.

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.