Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Can an Https Web Site Still Not Be Secure?

//
I have heard that going to an “https” web site isn’t a guarantee of security, and that some data I enter might still be unencrypted. How can that be? I thought https was encrypted and could not be sniffed?

You’re right: https is encrypted, and cannot be sniffed.

However, everything can be foiled by bad web site design. In fact, I’d go so far as to even say easily foiled by bad website design.

To really understand what can happen we have to understand just a little bit more about how the web works and what happens when you visit a web page.

Become a Patron of Ask Leo! and go ad-free!

Requests and responses

The entire web experience is based on a very simple model: through your web browser you make a “request”, and the web site you’re visiting returns a “response”. Everything is built on this very simple concept.

For example, when you visit a web site like http://randomisp.com, the following sequence occurs:

  • Your browser looks up the IP address for randomisp.com.
  • Your browser then sends a request to port 80 of the server at that IP address for the page “” (empty, or the default page) on randomisp.com.
  • The web server responds with the HTML text that makes up the page.

This one transaction is only for the base HTML for the page. If that page then includes images, additional, separate request/response transactions just like the sequence above are repeated for each.

A secure or https transaction is similar. Same domain, using https instead of http:

  • Your browser looks up the IP address for randomisp.com.
  • Your browser establishes a secure encrypted connection with port 443 on that IP for the site randomisp.com.
  • Your browser then sends — through that encrypted connection — a request for the page “” (empty, or the default page).
  • The web server responds — through that encrypted connection — with the HTML text that makes up the page.

Web Forms, securely

Forms are the typical way that web sites ask you for information. When you enter data on a form, such as your login information, and click on “Submit” (or its equivalent), the sequence is still a request for a page to which the server responds. The difference is that along with the name of the page additional information is included with the request.

For example, this is a form:

Enter some text:

Push this button:

What you can’t see is that it includes a reference to a URL: https://randomisp.com/formdemo.php.

When you click on Submit the following happens:

  • Your browser looks up the IP address for randomisp.com.
  • Your browser establishes a connection with port 443 on the server at that IP address for the site “randomisp.com”.
  • Your browser then sends — through that encrypted connection — a request for the page “formdemo.php” along with the additional information “text_field: ” followed by whatever you entered, and “submit_button: Submit”.
  • The web server builds a web page that simply displays that information and returns the HTML — through that encrypted connection — for that page as the response.

Note that this is a secure transaction — https was used. Someone sniffing your traffic would see only that you had gone to randomisp.com, but nothing else — they would not have been able to see the text you entered into that form.

Bad Web Design

Here’s the problem: unlike the address bar in your browser, or the links you might click on, you can’t tell whether or not that form is requesting a secure link or not. For example:

Enter some text:

Push this button:

This form looks exactly the same as the first. It even goes to the exact same server. Except that any information you enter on to it will not be encrypted when you hit “Submit”.

It does not use an https connection.

And you can’t tell.

That’s bad design.

Bad design that gets worse.

The page you’re on versus the page you get

If you’re viewing this article on the Ask Leo! website you’re viewing it on a secure page. Have a look at the URL and you’ll see that it’s “secure” — you used an https connection to get here.

And yet that tells you exactly nothing about the forms on this page.

The first form is secure, the second one is not. If you enter your data on the first form, it’s encrypted and sent securely. If you use the second form, however, your data is not encrypted, and could be sniffed.

That you are viewing the forms on a https-secure page has no impact whatsoever. It’s all about the form.

How it can go wrong

All the explanations above are so we can understand this example:

  • You visit your bank. You take great care to make sure the URL you go to begins with “https” so as to ensure an encrypted connection. Let’s say you visit “https://somerandombank.com/login.php”.
  • The request for “https://somerandombank.com/login.php” is made securely, and the response comes back securely.
  • The response is a login page — the page on which you will you enter your username and password. So far nothing important has been encrypted. All you got was a login page with no sensitive information. There was a secure request, followed by a secure response.
  • You enter your (sensitive) login information and password, and press “Submit”.
  • The browser then gets the URL specified in the form — the URL that you can’t see — connects to it, sends your login information as the request, and gets the next web page to show you as the response.

Here’s the million dollar question: how do you know before you hit Submit that that the request you’re about to make is to a secure (https) web page?

The fact that you’re on a secure web page means nothing. It’s the page that you’re about to go to next, the page that you’re about to request when you hit Submit, that needs to be secure.

And you might not be able to tell.

AJAX and other technologies

So far I’ve discussed only forms, which are a common, but very specific type of approach to getting information from a user, like you, to a server, like your bank’s.

Forms are based on the “request / response” approach I described at the beginning. You make a request, and the response is a new page.

AJAX is an example of a technology that allows requests and responses to happen “behind the scenes” in such a way that you’re not actually getting a new page each time. Google mail is a good example: many operations such as archiving your mail or tagging messages may not involve a new page at all – and yet information is being sent back and forth to Google’s servers.

Even if you’re on a secure page, there’s no guarantee that this background request / response transfer is actually happening over a secure connection. It all depends on how the page was authored.

And there really is no way for you to know, unless you’re a geek willing to look at and understand the HTML and Javascript that implements those pages.

Is there a solution?

You’re hopefully already familiar with the fact that most browsers display the URL represented by a link somewhere if you hover the mouse over the link. For example, if you hover over this link you should see something like this somewhere:

Preview of a URL

“Submit” buttons on web forms are really just another type of “link”, if you will.

Unfortunately, even though I first wrote about this issue twelve years ago, it’s still nearly impossible in most web browsers to tell where a submit button is about to take you. (Oh, and there may not even be a submit button — for example my search box at the top of the page here doesn’t have one. Hitting the Enter key submits the form.)

As I update this Firefox appears to be the only mainstream browser that will warn you.

Firefox warning of form that's not secure
Firefox warning of form that’s not secure

On all the others — well, your guess is as good as mine. (I’d love to hear that I’m wrong on this.)

I’m not sure there’s a simple solution, other than switching to a browser like Firefox that will warn you.

As it turns out using a VPN of some sort (I happen to use TunnelBear, but any of the reputable ones will do) also side-steps the issue.

VPNs encrypt everything between you and the VPN service. They don’t add any encryption to the rest of the path — between the VPN service and your bank, for example — but it’s the local connection that is generally of more concern. It’s the local connection, often over open Wi-Fi connections, that has the greatest risk.

Good website design

It really all boils down to websites being properly designed and implemented.

If you are on an https page it’s reasonable to expect the form button you click on will also be through and to a secure page.

And most of the time, it is. Most sites get it right.

But some don’t.

And I’m just not sure I know how to tell.1

Footnotes

1: OK, ok, to be clear, I do know how to know, but it takes more detailed knowledge of HTML. Use your browser’s Inspect function and you can see where a Submit button or any form will take you. That doesn’t really solve the AJAX problem, but even that could be observed within Inspect. It’s just not for the faint of heart.

Posted: July 30, 2008 in: Encryption
This is a major update to an article originally posted July 30, 2008
Shortlink: https://askleo.com/3461
« Previous post:
Next post: »

New Here?

Let me suggest my collection of best and most important articles to get you started.

Of course I strongly recommend you search the site -- there's a ton of information just waiting for you.

Finally, if you just can't find what you're looking for, ask me!

Confident Computing

Confident Computing is the weekly newsletter from Ask Leo!. Each week I give you tools, tips, tricks, answers, and solutions to help you navigate today’s complex world of technology and do so in a way that protects your privacy, your time, and your money, and even help you better connect with the people around you.

The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition

Subscribe for FREE today and claim your copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. Culled from the articles published on Ask Leo! this FREE downloadable PDF will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.



My Privacy Pledge

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and after "retiring" in 2001 I started Ask Leo! in 2003 as a place to help you find answers and become more confident using this amazing technology at our fingertips. More about Leo.

15 comments on “How Can an Https Web Site Still Not Be Secure?”

  1. I read several months ago, in an article on some of the “worst” spyware out there, that it’s possible for spyware to read https information, by installing itself in the browser between the browser and the SSL layer. (Unfortunately, I didn’t save a link to the online version.)

    Basically, the browser communicates internally with the SSL layer unencrypted. By wedging itself in that layer, the spyware can see everything unencrypted.

    Have you heard anything of this?

    Spyware and viruses can to ANYTHING – that’s why they’re to be avoided at all costs.

    -Leo

    Reply
  2. yes leo, as you kind of alluded to, you can “view” “source” and read the html for where the link is pointed to but you just about have to have atleast some knowledge of html, like us geeks…lol

    That’s why I mention AJAX, since that is often incomprehensible to even those of us who could read it.

    -Leo

    Reply
  3. Hi Leo, I am a high school student. I am familiar with html but I was wondering is there a way of creating an online database that can be accessed by anyone using HTLM only. If so what are the necessary steps in doing so. And if not is there a way of creating and online database using other methods eg PHP, XHTML etc. And what would be the necessary steps.

    Reply
  4. Great article Leo ,you explained http/https method in details with extra information and solutions , really great article for beginners and professionals….thanks Leo.

    Reply
  5. You’ve done it again! Not only made the subject clear and understandable, but gave easy to follow instructions that even a senior citizen can follow.
    Thanks – I feel safer now – for a while.

    Reply
  6. Since hovering over the ‘Login’ didn’t work, I tried entering a fake username and password. Clicking ‘Login’ gave me an unknown user/password message but the URL started ‘https’ – could this be an easy way to verify the URL of the target page?

    Unfortunately no. It’s very possible that the URL you went to first was some other URL that, for example, captured your information and then automatically and transparently sent you on to the https URL.

    -Leo

    Reply
  7. I don’t know of a better way to get info to you and it may be important. In your News letter just below the link to this article I found this: MailScanner has detected a possible fraud attempt from “clicks.aweber.com” claiming to be http://www.ThisIsTrue.com. “MailScanner has detected a possible fraud attempt from “clicks.aweber.com” claiming to be” was in RED. I think I have MailScanner on my computer so I think this may be bad. I won’t click on it unless you can say nothing to worry about. More information would be appreciated.

    “Aweber” is the company that processes my mailing list, and they modify links so that I can see which links people are clicking on. So the link is safe.

    -Leo

    Reply
  8. Speaking of bad web design. I went to read “Why didn’t you answer my question?” and a grayed out screen with modal box asking me if I wanted to receive your news letter in the middle of it came up. Ironically I was trying to read the article Because of the news letter. I had no scroll bar and so I was not able to scroll down to close it. I used the back button.and here I am. I’m going to try again. This time it worked.

    FWIW: that popup does have a close button (x in the upper right corner, like most windows), and as long as cookies are enabled should only appear once ever 180 days.

    More here: Why do I keep getting a newsletter subscribe pop-up on your site?

    -Leo

    Reply
  9. Hi Leo,

    Excellent article! You mentioned ‘always using an encrypted VPN’ in your article. How is a VPN more secure than a single https web site implementation? Wouldn’t I need using your browser settings trick within a VPN? Thanks a lot.

    A VPN will encrypt all data between yourself and the VPN provider, whether it’s https or not. After the VPN provider it travels encrypted, or not, dependong on whether it’s https, or not.

    An https connection is encrypted all the way between you and the web site you’re accessing.

    Most sniffing attacks happen at your end, so making sure that the data is encrypted as it leaves your computer – https or VPN – is what’s important, IMO.

    – Leo
    21-Sep-2008
    Reply
  10. Can anyone help with the settings for Firefox? It looks like the article was written in 2008 and those settings (Tools, Options, Security, Settings) was available in Firefox 3.5. In the newer version of Firefox (I’m on v5), there’s no “Settings” button, and I can’t find a similar one anywhere in Options. Please advise if you find a solution!

    Unfortunately that’s been moved to a set of hidden preferences in about:config. I found this on that: http://support.mozilla.com/en-US/questions/829577.

    Leo
    03-Aug-2011

    Reply
  11. JayFlight – I searched Firefox help and found this for Ver 4. It also appears to apply to ver 5.

    The only way I know to do this in Firefox 4 is to change hidden preferences.

    Type about:config into the location bar and press enter
    Accept the warning message that appears, you will be taken to a list of preferences
    In the filter box type security.warn this will show a few preferences, you can double-click on them to change their values, the settings are:
    security.warn_viewing_mixed -I’m about to view an encrypted page that contains some unencrypted information
    security.warn_submit_insecure – I submit information that’s not encrypted
    security.warn_leaving_secure – I leave an encrypted page for one that isn’t encrypted
    security.warn_entering_weak – I am about to view a page that uses low-grade encryption
    security.warn_entering_secure – I am about to view an encrypted page

    Reply
  12. The Google Chrome browser version 13.0.782.107 beta-m, and perhaps earlier versions are smart enough to show https in green when it’s safe, and in red when it’s not. The Walmart prescription renewal url is one example that demonstrates this.

    Again, that’s the page that you’re on, and it does not reflect the security of the page that you’re going to when you press “Submit”, “Login” or whatever after filling in your account details.

    Leo
    04-Aug-2011

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.