Today I will be demonstrating the importance of securing your site with HTTPS (Hyper Text Transfer Protocol Secure) and HSTS (HTTP Strict Transport Security) to prevent bad actors tampering with your site, by showing what can happen if you don't use it, and the protection your users get if you choose to use it. I will be demonstrating this by simulating being connected to a rouge dns server, which will serve us with a fake version of the site.
So, what happens if my site isn't secure?
If your site doesn't use HTTPS, you leave your customers vulnerable to the page being tampered with. As I will show you below, anyone is free to tamper with the content on the site. This means they can inject malicious code, or even serve a completely different page. It happens, and a few years ago it was found that US Internet Service Providers were injecting code into sites that didn't use HTTPS. So let's see what happens.
If I navigate to http://http-login.badssl.com, I usually get the following page:
The site loads and nothing looks out of the ordinary, and for now, it isn't. But we can very easily start serving our own version of the site. To demonstrate this today, I will be using my DNS server to serve a fake version of the site, which can be an effective attack method, as most routers allow you to change the DNS server that connecting devices are automatically assigned. So if I instruct my DNS server to start serving my page instead, we see something like this:
Not good, we can easily inject and serve our own versions of the page. Now imagine if this was an actual login page, and the damage that could cause. The important thing to note here is that there is no warning at all, and so if we copied the page our users wouldn't even notice. Now, what happens when we try and tamper with a page that is secured?
What about if my site is secured?
To find out, let's load up https://sha512.badssl.com, and we usually see this:
Now, all is well. If you didn't notice, there is a little padlock in the URL bar. This indicates we are connecting to the server securely (but remember, it does not mean the site is legitimate- a common misconception), which is news to our ears. Now, let's try and serve our own version of the site.
Unfortunately for us, we have been spotted. Since we do not have a valid certificate for the site from a trusted certificate authority. However, some users love to bypass these errors, still putting them at risk.
And without HSTS, we can't stop them from bypassing this. So let's see what happens with HSTS enabled (if you want to know more about HSTS, see my blog post where I explain it).
As you can see, we are completely denied access to the site. This is great, as it means there is zero chance of anyone using the malicious page instead of our legitimate one.
So, I hope today I've shown you why we need to make sure all our sites are secured using HTTPS and ideally HSTS. You should now be well equipped to challenge anyone saying HTTPS isn't important. It would be great if you could share with your friends if you have enjoyed.
Feel free to get in touch with me if you have any questions via the various contact methods on my main site. I'm always happy to help. See you in the next post!