Schumer asks Twitter, Yahoo, Amazon to adopt HTTPS
A federal lawmaker is calling on a number of high-profile websites to adopt a more secure web protocol to prevent wireless hackers from hijacking their users' data.
Sen. Chuck Schumer, D-N.Y., announced Monday that he has sent letters to Twitter, Yahoo and Amazon, among others, urging them to replace "HTTP" with "HTTPS," an encrypted protocol that prevents the unauthorized hijacking of private sessions.
"When consumers use your site on the standard HTTP protocol, their activity and data – including sensitive personal information – is vulnerable to monitoring by anyone on their network," the letter said. "That means that a person using one of the increasingly popular public Wi-Fi networks can easily and unwittingly become the victim of malicious hackers."
In January 2010, Google became one of the first major companies to adopt HTTPS across its site, in this case Gmail. A turning point, though, came 10 months later, when a researcher unveiled a Firefox plug-in, known as Firesheep, that permits anyone to scan open Wi-Fi networks and hijack live sessions.
"When a user logs onto Facebook, Amazon, Twitter or any number of other accounts, the username and password are encrypted, but the cookie that the site sets to remember the user is not encrypted as it is sent to that person's computer," Randy Abrams, director of technical education of ESET, explained in the December issue of SC Magazine. "This means that if the user is at their local coffee shop using their open Wi-Fi system and logs onto a website, the cookie can be intercepted by anyone else using the same Wi-Fi network."
In January, Facebook announced that users now can browse the popular social networking site via HTTPS. But many other well-known internet properties have lagged, said Tim Callan, head of marketing for VeriSign Trust Services at Symantec.
"It's a project," Callan told SCMagazineUS.com. "They have more things on their roadmap than they're going to get done. We've seen companies delay this as long as they could. I think we've reached the point now where this has to a top priority for sites."
Many organizations have for some time encrypted their login pages, but once users moved past that entry point, they become susceptible to eavesdropping or man-in-the-middle attacks, Callan said. But thanks to rogue wireless hotspots and advancements in programs such as Firesheep, the threat has morphed into a major risk.
Callan said the timeframe to migrate to HTTPS can run one month to several months, and costs typically run from tens of thousands to hundreds of thousands of dollars, depending on the size of the site.
Representatives at Twitter, Yahoo and Amazon did not immediately respond to a request for comment.