HTTPS is vulnerable to attack, and we can expect the situation to worsen over time. In two to five years, serious compromises of the Web's underlying security structure could take place more frequently at the criminal level.
This doesn't mean that HTTPS is broken - it still provides strong protection against many online threats. But for individuals and corporations, the lesson here is that HTTPS shouldn't be solely relied upon.
E-commerce, online banking or simply logging securely into an online account - these things wouldn't be possible without HTTPS. The same can be said for new areas of growth like the cloud, mobile payments and Internet-connected devices.
And yet, while so much is riding on the Internet's ability to function securely and protect its users, not enough is being done to keep pace with a growing number of threats that could diminish the reliability of the cryptographic systems that make a secure Internet possible.
Not least of which is the Edward Snowden disclosure, reported back in September, which allegedly shows the U.S. National Security Agency has been able to influence the security standards used to protect HTTPS, and has been able to bypass it.
But the threat to HTTPS isn't just at the nation-state level. It's also filtering down to the average criminal.
One of these threats was recently the subject of a Department of Homeland Security alert. It's an attack that is able to bypass the encryption of an HTTPS website, such as your online bank, allowing a hacker to hijack a person's account in just 30 seconds. Three other attacks similar to this have come out in the past couple of years. There are also other attacks which take advantage of certain flaws in HTTPS to render it useless.
At the same time, hackers have also figured out how to spoof, or impersonate, legitimate websites by breaking into Certificate Authorities - the same companies that are supposed to be protecting the integrity of the Web. Lastly, new research is finding ways to crack one of the complex ciphers (known as the RSA algorithm) that form the very backbone of the Internet's security.
For the individual, it's important to take additional precautions to protect yourself. The most important of these is to start using a virtual private network (VPN) to add an additional layer of security on top of HTTPS. Since many VPNs use the same type of security that's vulnerable to these attacks, it's best to use a VPN that relies on IPsec.
Other steps to take include limiting what you do over WiFi - perform sensitive tasks like online banking only over an ethernet hardline. Additionally, consider buying a cheap netbook or Chromebook that is only used to do online banking and have a dedicated credit card for online purchases.
Enterprises should also re-assess their level of risk. Like consumers, corporations also rely on Web security - to protect their internal operations from attack. It's critical to implement defense-in-depth across all areas of their networks - even those inside the firewall. They should also require software vendors to run security upgrades that will patch against many of these threats.
Companies should also protect their websites against these attacks by implementing the DHS' six-point mitigation strategy (outlined in Vulnerability Note #987798).
It's also important to consider the next step for HTTPS. With researchers predicting that the RSA algorithm will be defeated in the next two to five years, it's time for the security industry to get serious about a replacement.
There is one available - its called Elliptic Curve Cryptography (ECC). The problem is that it's not widely used, and many Certificate Authorities don't accept it. Over the next few years, enterprises should pressure the security industry to start accepting viable alternatives to RSA - and they should start preparing their own organizations for the switch.