Https and http; Secure leaking data to unsecure?

Support & Help Requests
,
1

Hi. There is a website I like called "BetterThanChess", which is http. I was wondering if a hacker could read info from https tabs that were also open? I don't think so, as I read that only info between the user and the website could be leaked.

2

I'm not a hacker and I don't play one on TV, but I think that cookies you may have stored in your browser cache can be "seen" by a hacker over your http connection. I'm sure I'll be corrected in a short while, but I tend to stay away from http-only sites.

3 Likes
3

Nowadays, sites which do not use https are sites which should really be avoided.

If the site only serves static pages, the risk is relatively low. BUT, if the pages are dynamic, such as for playing games interactively, the risk-level spikes exponentially!

IMPORTANT: There is no guarantee that "static" pages would not have been changed to "dynamic" pages at the next visit! :frowning:

The key threats, because of lack of encryption, are

  • Man-in-the-middle attacks (re-direction of connection to an alternate site displaying a false front),

  • SQL-injection, causing server issues by taking advantage of documented/published "security holes", and

  • risk of theft of any privacy-related personal information that is transmitted over such a connection (a.k.a. in the "clear").

Also, if not done thru https, the MITM attack make some HTTP "methods" high-risk.

Common safe HTTP methods are

  • GET,
  • HEAD, or
  • OPTIONS.

Common unsafe HTTP methods are

  • POST,
  • PUT, and
  • DELETE.

While it boils down to, mostly, server-side exposure, from an end-user perspective, malicious code injection via MITM attacks could lead to serious impact to the machine running the browser, as "little" as compromising (i.e. trojan or harvesting virus), but could extend to a ransomware event, if they managed to sneak in code that locked you out of your data or system! :frowning:

A good summary of the additional risk to servers is offered in this article:

3 Likes
4

@ericmarceau Thanks for the great info. Maybe the makers of the site were creating a cool look for a popular game for Ransomware purposes. :frowning:

5

If such was their intent, it is a low-cost high-reward investment for the perps! Add to that the AI-generation of code, and you never know where it can end up! :frowning:

6

11 posts were split to a new topic: A discussion about Linux and macOS origins