HTTP and HTTPS

When transmitting private and confidential data over the Internet is should always be secured and encrypted so that prying eyes on the network cannot see the data being sent.

This mechanism typically uses the https protocol.

Hypertext Transfer Protocol Secure (HTTPS) is a widely-used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. - Wikipedia (https://en.wikipedia.org/wiki/HTTP_Secure)

If you are transmitting secure data and you are using the http protocol then it is not secure.

Hence, anyone can intercept the message and read the contents. Perfect for a “man in the middle’ attack.

How to explore around http and https
The easiest way to check whether the site you are connected to is secure is to check the browser address bar and look for https in the website address. Most browsers will also show a padlock to symbolize that the connection is secure and trusted.

There are a growing number of add-ons and tools for checking secure connections. Some browser add-ons can also force https for all connections.

Somebody "sniffing" the traffic between you and the servers on the internet can intercept your traffic and read the contents if it's not https. For example, let's say you logged in to a website that was not secure and not using https. Your username and password would be sent over the internet in clear text, i.e. completely visible to anyone "sniffing" the traffic.

That's why it is important to ensure you check that your website is secure when it needs to be.

To check you can use tools like Burpsuite, Charles Proxy or Fiddler to watch the traffic. If it's https then the messages being sent are likely to be garbled characters that don't make sense. This is good. If it's http then the content of the messages will be readable, including details such as usernames and passwords.

These tools allow you to watch and read the traffic but they also allow you to intercept the messages then do a number of different tests and attacks.

You could delete the message and see what happens to the system. Do you lose information, lose states, break the client, break the server, handle it gracefully, or do nothing?

You could forward the message to the server with different values. For example, you could change the price of some goods you are about to buy.

Intercepting messages is not just about security breaches and attacks. There are loads of examples in most web systems where missing messages can cause problems.

Explore and learn from each test that you do and you will soon build up experience of what flaws your website has. I often find that each test leads to new ideas when using proxies to intercept messages.

Useful Hint
In many “test environments" https security may not be enabled and configured so double check before generating bugs against https and SSL. Just make sure it’s on when the site goes live.

Useful Links
Good security for web checklist –
http://www.techrepublic.com/blog/security/ensure-basic-web-site-security-with-this-checklist/424

Differences between http and https - http://www.virtu-software.com/ask-doug/QandA.asp?q=7

Burpsuite - http://portswigger.net/burp/

Charles Proxy - http://www.charlesproxy.com

Fiddler - http://www.telerik.com/fiddler



If you’re interested in a career in Software Testing then check out my book Remaining Relevant And Employable (Tester’s Edition) - it’s packed full of ideas about writing good CVs, communicating your value to employers and doing well in an interview.