Why do some major websites still not use SSL/TLS?

Bram Matthys

2 min read

There seems to be misconception out there:

If a site never requires user input then there is no reason to use SSL/TLS.

This is wrong. SSL/TLS is not only for securing logins or forms!

A practical attack on a major news site

  1. User visits an insecure news site like cnn.com
  2. Attacker hijacks this connection and injects a virus or other malware in the HTML code sent to the user.
  3. User is owned

This is called Session Hijacking and it is nothing new. Such an attack is easy and not unlikely when the user is using a public hotspot.

It is significantly less likely, but still technically possible, on other internet connections as well. It may not happen often but if an attacker is able to take control of central infrastructure (s)he can infect millions of people who are connecting to a trusted website. Injecting them with malware content.

I still can't believe today that major news organizations are not using HTTPS and HSTS. How likely is it that someone on vacation will use an insecure hotspot to check out the news? Very likely I would say.

A practical attack on a major auction site

Some sites, like eBay, do use HTTPS for logins but then when the user clicks on an auction item they will be redirected back to plaintext HTTP. Why?? This too will make the user vulnerable to session hijacking attacks for the exact same reason as the news site example earlier.

Download sites

Finally, let me say that this does not stop at news or auction sites. What about sites offering software?

  1. User visits the official (insecure) site offering downloads of a major application. For example http://keepass.info/
  2. As soon as the user tries to download the latest version the attack *hijacks* the connection and *injects* a virus or other malware in the executable
  3. User runs the executable and is owned

Some may argue that users should verify the PGP/GPG signature of a file. That is true. They should, if possible. Unfortunately in practice (very) few users do that and often the public key that is supposed to be used is not clear.

Finally

The only reason I found on the Internet so far is that SSL/TLS uses additional resources and that caching may be harder. With todays hardware and resources I really don't consider these to be reasonable arguments anymore. Maybe this was true in 2010, but not in 2018.