Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

SSL: The Sites Which Don't Want To Protect Their Users

November 24, 2010 - 2 min read

Last week I explained some of the challenges that websites face to switch to SSL to protect their users. The main challenge is to send the correct SSL certificate in all cases.

Some websites make it very hard, or even impossible, to use secure connections to protect their sessions. It has been exactly a month since Firesheep was released to demonstrate the problem of session side-jacking, but these websites are still not willing to do anything about this problem.

Here are some of these sites, all part of the list of domains monitored by Firesheep.

Amazon: no HTTPS for you!

It is just not possible to use https://www.amazon.com/! This address redirect users to http://www.amazon.com/.

Permanent redirection from HTTPS to HTTP

To their credit, users must login again over HTTPS to make an order, but Amazon still provides plenty of information about their users: first name, last name, what they're interested in, full access to their shopping cart, etc.

Basecamphq.com: 37signals.com certificate

If you go to https://www.basecamphq.com/, you get a certificate for 37signals.com.  This isnt very helpful for users not aware that BaseCamp is a product from the company 37Signals.

SSL certificate valid for a very different domain name

Facebook: hidden HTTP connection, HTTPS login fails

I logged into my Facebook account using https://www.facebook.com/. Out of the 10+ requests required to display my home page, one of them is done to http://www.facebook.com/ap.php. This request does carry all the cookie values needed to hijack my account. There is currently no way to surf Facebook safely.

Unsecure HTTP connection
There is a worse scenario. I logged out of my account, and went to the secure login page https://www.facebook.com/. I entered the wrong password by accident. I was then redirected to the secure page https://login.facebook.com/login.php. There, I entered my password correctly. But I was redirected to the unsecured http://www.facebook.com/home.php (no HTTPS)!

Redirection from secure login page to unsecured home page

Although Firesheep has made a lot of noise, and the issue of session side-jacking has now been widely reported on, even the major sites have not taken the necessary actions to protect their users. It is very sad to see sites such as Facebook, widely used and by a large and diverse audience, are still very insecure.

This was just a quick review of a few sites, I'm sure plenty of other sites have the same weaknesses.

Happy Thanksgiving!

-- Julien
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.