Info Only18th December 2017
Hi there Troy, the website contains general information, rest assured when you are logging in that the website is secure. Please feel free to DM me if you have anymore queries around this. Thank you, DC— NatWest (@NatWest_Help) December 12, 2017
I thought that I would start this blog post off with this single Tweet. That started off the whole debacle which resulted in NatWest ending up in the news. The problem is that while yes the information is public, all the data returned over plain HTTP can be manipulated.
In the security field there is a basic concept known as the CIA triangle where:
- Confidentiality – the data being transmitted/processed is not viewable by an attacker.
- Integrity – the data being transmitted/processed cannot be tampered with by an attacker.
- Availability – the data being transmitted/processed cannot be made unavailable by an attacker.
HTTPS enables 2 of the 3 principles of the CIA triangle, namely confidentiality and integrity. Firstly the data is encrypted (confidentiality), so while an attacker is able to view the data being transmitted, it is of no use to the attacker. Secondly is integrity, an attacker could attempt to modify the encrypted data but this will be detected by the receiving end of the communication.
But It’s Not Sensitive Information
And this leads me to the purpose of this blog. All to often I come across people who state that simply because the information is public or not sensitive, that is a valid reason not to use HTTPS. Nothing could be further from the truth! Take the above example with NatWest. They having a login link on their page, they have contact numbers, they have security FAQs, and the list goes on. As an attacker who has been able to get Man in The Middle (MiTM), they can alter all of that information with little effort. To illustrate this, I modified the login link:
@NatWest_Help this should hopefully help illustrate the issue and what an attacker would likely do: pic.twitter.com/FnWnge7JyS— Sean Wright (@SeanWrightSec) December 12, 2017
And this relates to the above principle of integrity. Without using HTTPS, there is no way to confidently say that the integrity of the data being delivered to and from the client and server has not been tampered with. So it’s vital that HTTPS is still used, even if the data is public or not sensitive.