March 01, 2011

Schumer asks Twitter, Yahoo, Amazon to adopt HTTPS

A federal lawmaker is calling on a number of high-profile websites to adopt a more secure web protocol to prevent wireless hackers from hijacking their users' data.

Sen. Chuck Schumer, D-N.Y., announced Monday that he has sent letters to Twitter, Yahoo and Amazon, among others, urging them to replace "HTTP" with "HTTPS," an encrypted protocol that prevents the unauthorized hijacking of private sessions.

"When consumers use your site on the standard HTTP protocol, their activity and data – including sensitive personal information – is vulnerable to monitoring by anyone on their network," the letter said. "That means that a person using one of the increasingly popular public Wi-Fi networks can easily and unwittingly become the victim of malicious hackers."

In January 2010, Google became one of the first major companies to adopt HTTPS across its site, in this case Gmail. A turning point, though, came 10 months later, when a researcher unveiled a Firefox plug-in, known as Firesheep, that permits anyone to scan open Wi-Fi networks and hijack live sessions.

"When a user logs onto Facebook, Amazon, Twitter or any number of other accounts, the username and password are encrypted, but the cookie that the site sets to remember the user is not encrypted as it is sent to that person's computer," Randy Abrams, director of technical education of ESET, explained in the December issue of SC Magazine. "This means that if the user is at their local coffee shop using their open Wi-Fi system and logs onto a website, the cookie can be intercepted by anyone else using the same Wi-Fi network."

In January, Facebook announced that users now can browse the popular social networking site via HTTPS. But many other well-known internet properties have lagged, said Tim Callan, head of marketing for VeriSign Trust Services at Symantec.

"It's a project," Callan told SCMagazineUS.com. "They have more things on their roadmap than they're going to get done. We've seen companies delay this as long as they could. I think we've reached the point now where this has to a top priority for sites."

Many organizations have for some time encrypted their login pages, but once users moved past that entry point, they become susceptible to eavesdropping or man-in-the-middle attacks, Callan said. But thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.

Callan said the timeframe to migrate to HTTPS can run one month to several months, and costs typically run from tens of thousands to hundreds of thousands of dollars, depending on the size of the site.

Representatives at Twitter, Yahoo and Amazon did not immediately respond to a request for comment.

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.