Sean Wright


Personal blog of app security guy, blogging about application security related topics, focused primarily on web based applications.

Sean Wright

Info Only

18th December 2017

I thought that I would start this blog post off with this single Tweet. That started off the whole debacle which resulted in NatWest ending up in the news. The problem is that while yes the information is public, all the data returned over plain HTTP can be manipulated.

CIA

privacy-2859017_1280

In the security field there is a basic concept known as the CIA triangle where:

  • Confidentiality – the data being transmitted/processed is not viewable by an attacker.
  • Integrity – the data being transmitted/processed cannot be tampered with by an attacker.
  • Availability – the data being transmitted/processed cannot be made unavailable by an attacker.

HTTPS enables 2 of the 3 principles of the CIA triangle, namely confidentiality and integrity. Firstly the data is encrypted (confidentiality), so while an attacker is able to view the data being transmitted, it is of no use to the attacker. Secondly is integrity, an attacker could attempt to modify the encrypted data but this will be detected by the receiving end of the communication.

But It’s Not Sensitive Information

And this leads me to the purpose of this blog. All to often I come across people who state that simply because the information is public or not sensitive, that is a valid reason not to use HTTPS. Nothing could be further from the truth! Take the above example with NatWest. They having a login link on their page, they have contact numbers, they have security FAQs, and the list goes on. As an attacker who has been able to get Man in The Middle (MiTM), they can alter all of that information with little effort. To illustrate this, I modified the login link:

And this relates to the above principle of integrity. Without using HTTPS, there is no way to confidently say that the integrity of the data being delivered to and from the client and server has not been tampered with. So it’s vital that HTTPS is still used, even if the data is public or not sensitive.

View Comments