Why is HTTPS not default in my online accounts?

[TKHgva]

Hello,

After reading a couple of posts dealing with online banking and stressing to strictly use secured websites with HTTPS, I went over to check the homepage addresses of the online accounts I have in my bookmarks. I was surprised to see that they were all HTTP by default. So I then added the "s" at the end and hit enter once again. A new page loaded for most of the websites in "HTTPS" (taking also more time to download, which I imagine is a sign secure connection is being established?).

Can anybody help me figure out: why is it not by default HTTPS when I go onto the e-banking website for example?

Is that a problem from my browser (Opera) or something similar?
Or is HTTP default in all cases when we visit a website, then we have to change it to HTTPS to "secure" it?

Thanks for any help on this topic.

[FiOS Dan]

I'm running Opera and I just checked the B of A website. It automatically went to HTTPS.

[TKHgva]

Quote:

Originally Posted by FiOS Dan

I'm running Opera and I just checked the B of A website. It automatically went to HTTPS.

True, I went to B of A directly from address bar and from Google search, both land on https website automatically.

It's strange, unless I'm not using things correctly, I'm not a professional with the computer.

But look, I tried the following:

you know in Opera one can type directly in the address bar : paypal.com and it will take you there. So I type paypal.com and I land on an https website for PayPal America. Then, I type paypal.ch, which is for Switzerland, and I land on an http website.

However, if I add an "s" after http and then press enter, it takes me to the same page (paypal switzerland home) but in https. Then my bank: it has a http and https website, just like PayPal Switz.

I don't get it: if it's supposed to be secure when you go to PayPal/bank online, why are there two types of websites One is secure and the other isn't, because it's http? I'm lost.

Also, I Google PayPal Switzerland and it only has www in front (in search results), whereas PayPal Intl. has https.?

[FiOS Dan]

Perhaps some sites require you to login before flipping to HTTPS?

[TKHgva]

Ah, you're right I think. If I go to PayPal.ch http, then click sign in, it flips to https, along with the lock sign which means it's all secure.

However, I still remain with questions as to why PayPal US or B of A are https immediately when you go to the website, and others not.

It's probably a detail of configuration of the certain websites or something I imagine; anyway, looks like it's just a minor detail but in the end we're in https so it's alright.

Thanks for responding to the post.

[JRViejo]

Quote:

Originally Posted by TKHgva

However, I still remain with questions as to why PayPal US or B of A are https immediately when you go to the website, and others not.

TKHgva, when you read recent articles, like the two below, you'll understand why some sites direct a visitor to HTTPS right away:

Online thieves scam state of Utah out of $2.5 million (Bank of America)
When paranoia isn't enough (PayPal)

[FiOS Dan]

I read those articles but they do not explain why some sites do not redirect right away. Is the implication that those may be man-in-the-middle exploits?

[TKHgva]

JRViejo,

Just read the two articles. Wow!

The loss of, what, $700K by the State of Utah, that's a terrible thing.
What do these people have in their mind to do this ? "States have been slashing funding allocations and contemplating tax increases as a means of balancing their budgets, which makes a recent revelation concerning the state of Utah's treasury all the more embarassing.". It's maybe a public service which provides basic care to the less fortunate citizens of the State of Utah that will pay consequences for such a scam. It's not like they robbed a millionaire; they robbed a public treasury that is necessary for providing services to the poeple. In the end it's the citizens of Utah State that will feel the effects of loss of buget.

I don't understand these people who commit robberies, online or directly. Even if one is in need, one cannot oppress another to get his bread. (sorry, off topic)

I'm also shocked about the PayPal article. Actually really disturbed. My own PayPal account has been "behaving" strangely the past 3 days or so, no "surprise" withdrawal (yet) though.

Thanks for posting JRViejo, because I thought I was getting paranoïd all by myself and asking questions about small things; but after those articles I really would like to understand:

- why when one goes to PayPal.com or Bank of America it's immediately https, and why on another bank (like mine) or PayPal.ch there's 2 "options": either one can type http or https and land at the same homepage, one being secured and the other not?

Just saw your post FiOS Dan and I follow with same interrogation as you.

Like you said in your first post "it requires login to flip to https perhaps"; so following that logic: homepage is http, we sign in, then flips to https. But then why is there on the internet two identical websites for PayPal.ch, one in normal http, and the other with the lock in the address bar (https)? Why not https from start?

And someone on the forum answered another post of mine when I had asked: at what point is secure connection established for e-banking? I was told that secure connection is naturally established immediately upon arriving at the website; and it sounds more logical that way too.

Just to understand how the attack works: if we go through a man in the middle to log into Paypal for example, do we end up logging into our account or not?
Could the first http website for Paypal.ch be a man in the middle, and then we get redirected to the authentic paypal (https), while in the meantime our login data is being recorded?

I checked in Firefox browser as well to see if maybe it's because of my site preferences/cookies I keep in Opera. In firefox, I can also see "two" Paypal.ch websites (the snaps are in attachment, it's clear when it's secure -https - you can see the LTd which is not seen in the other snap).

Don't know if this is all paranoia.

Sorry, I've got to learn to make posts more brief...

PS I hope someone can advise on the security tokens in "privacy software" forum because I am definitely going to purchase a token after the article on PayPal from JRViejo.

[TKHgva]

Opera snaps:

(I think it's paranoïa on my side more than anything else, but who knows, we always think it happens to others...)

[JRViejo]

Quote:

Originally Posted by FiOS Dan

I read those articles but they do not explain why some sites do not redirect right away. Is the implication that those may be man-in-the-middle exploits?

The reason why some sites do not use HTTPS comes down to cost. That is, until the site is hacked and then, after being sued, a company scrambles to institute encrypted protocols. It's like closing the barn after the horses have left. The point that I was trying to make by providing the article links was, that companies, stung by huge losses, decide to go the HTTPS route from that point forward, instead of continuing to offer 2 different Web site versions to customers.

Read Hypertext Transfer Protocol over Secure Socket Layer for a simple explanation of what's required to establish a secure server.

[JRViejo]

Quote:

Originally Posted by TKHgva

- why when one goes to PayPal.com or Bank of America it's immediately https, and why on another bank (like mine) or PayPal.ch there's 2 "options": either one can type http or https and land at the same homepage, one being secured and the other not?

Most banks have switched to HTTPS, instead of using 2 different versions of the same site, but in your case, asking them as to why they maintain both sites is a prudent question IMO.

Since you use Firefox, take a look at this add-on: Perspectives by the Carnegie Mellon University. I became aware of this add-on while reading this article: Firefox extension protects against man-in-the-middle attacks last year and it works brilliantly. Perhaps you should install it and visit your HTTPS sites to see if they are legitimate or not.

[TKHgva]

Quote:

Originally Posted by JRViejo

Most banks have switched to HTTPS, instead of using 2 different versions of the same site, but in your case, asking them as to why they maintain both sites is a prudent question IMO.

Thanks for the reply.

I'll check with my bank and PayPal Switzerland to get an answer as to why it's not all secured from start. I imagine this flaw could be used. I'll mention to them the risk they are taking, perhaps by mentioning such articles.

I use Opera, but thanks for the add-on anyway. I'm still going to use it to check if the sites are legitimate, to pursue this "investigation" all the way through.

Again, those articles were eye-opening. Thanks for posting them.

PS I found this tool on the PayPal US website, helps identify if emails from PayPal are authentic. Haven't tried it yet, downloading now. But doesn't seem to fit in all email clients.

[traxx75]

It may be as simple as reducing traffic overhead in order to save on bandwidth and computational costs. HTTPS increases load so companies will identify as much data as possible to send in cleartext in order to reduce this impact.

As people have already mentioned, there are security implications when running both secure and non-secure versions of a site. One exploit against poorly-coded systems is termed "Surf Jacking" and potentially allows someone to steal your session cookies even if you use HTTPS.

[TKHgva]

Quote:

Originally Posted by traxx75

It may be as simple as reducing traffic overhead in order to save on bandwidth and computational costs. HTTPS increases load so companies will identify as much data as possible to send in cleartext in order to reduce this impact.

I understand the need to diminish bandwidth and computational costs for corporations and thus sending as much as possible data in clear text. However, in the case of financial institutions where inherently it's sensitive on both client and bank's sides, may we conclude that if a bank decides to use this approach in IT practices, especially for the e-banking homepage, it's basically giving the priority to cost reduction over offering a guarantee of enhanced security for it's e-banking clients?

Is this particular practice rather the norm amongst banks? Because I see the PayPal US and Bank of America are instantly HTTPS, while PayPal Switz. or another bank does what you explained.

Quote:

Originally Posted by traxx75

As people have already mentioned, there are security implications when running both secure and non-secure versions of a site. One exploit against poorly-coded systems is termed "Surf Jacking" and potentially allows someone to steal your session cookies even if you use HTTPS.

Thanks for the link. The paper is very instructive. Finally I have a clear picture about the process involved with cookies.

A question: the first scenario described in the paper mentions that the victim, after login to http.somesecurebank.com, opens another tab/browser window which makes it possible for the surf jacker to "acquire" the bank's session cookie.

Is it a basic guideline to follow that when we perform online transactions, we only open one single tab/browser window until the secure session is over with?

[lotuseclat79]

ForceHTTPS, a Firefox Add-on from the Standford encryption lab, comes with preconfigured protection for Gmail, PayPal, American Express, Bank of America, Chase, and Fidelity.

-- Tom