March 01, 2011

Schumer asks Twitter, Yahoo, Amazon to adopt HTTPS

A federal lawmaker is calling on a number of high-profile websites to adopt a more secure web protocol to prevent wireless hackers from hijacking their users' data.

Sen. Chuck Schumer, D-N.Y., announced Monday that he has sent letters to Twitter, Yahoo and Amazon, among others, urging them to replace "HTTP" with "HTTPS," an encrypted protocol that prevents the unauthorized hijacking of private sessions.

"When consumers use your site on the standard HTTP protocol, their activity and data – including sensitive personal information – is vulnerable to monitoring by anyone on their network," the letter said. "That means that a person using one of the increasingly popular public Wi-Fi networks can easily and unwittingly become the victim of malicious hackers."

In January 2010, Google became one of the first major companies to adopt HTTPS across its site, in this case Gmail. A turning point, though, came 10 months later, when a researcher unveiled a Firefox plug-in, known as Firesheep, that permits anyone to scan open Wi-Fi networks and hijack live sessions.

"When a user logs onto Facebook, Amazon, Twitter or any number of other accounts, the username and password are encrypted, but the cookie that the site sets to remember the user is not encrypted as it is sent to that person's computer," Randy Abrams, director of technical education of ESET, explained in the December issue of SC Magazine. "This means that if the user is at their local coffee shop using their open Wi-Fi system and logs onto a website, the cookie can be intercepted by anyone else using the same Wi-Fi network."

In January, Facebook announced that users now can browse the popular social networking site via HTTPS. But many other well-known internet properties have lagged, said Tim Callan, head of marketing for VeriSign Trust Services at Symantec.

"It's a project," Callan told SCMagazineUS.com. "They have more things on their roadmap than they're going to get done. We've seen companies delay this as long as they could. I think we've reached the point now where this has to a top priority for sites."

Many organizations have for some time encrypted their login pages, but once users moved past that entry point, they become susceptible to eavesdropping or man-in-the-middle attacks, Callan said. But thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.

Callan said the timeframe to migrate to HTTPS can run one month to several months, and costs typically run from tens of thousands to hundreds of thousands of dollars, depending on the size of the site.

Representatives at Twitter, Yahoo and Amazon did not immediately respond to a request for comment.

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

Oracle releases Java update to close 37 high-risk vulnerabilities

Updates for the software platform will now arrive on a quarterly basis, beginning in October.

Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users

To exploit the vulnerability, an intruder would need a user's device password and a bit of skill to access troves of data on the phone.

Tor to blame for its users being unable to access Facebook

Malicious activity on the anonymity software's network tripped Facebook's "site integrity systems."