From the FinallyFast Help Desk
Senator Charles E. Schumer of NY today called on providers of major websites in the United States, like Twitter, Yahoo, and Amazon, to switch default web addresses from the standard HTTP protocol to the secure HTTPS protocol after reports that hackers are granted easy access to users’ private information through common wireless networks found at coffee houses and book stores throughout New York and the country. Schumer pointed out that the proliferation of easy-to-use hacking programs allow identity thieves easy access to private information, like passwords, user names, credit card information, and browsing history that is stored in cookies of users of the same wireless network.
“The number of people who use WiFi to access the Internet in coffee shops, bookstores and beyond is growing by leaps and bounds, but these users are unaware that they are easy prey for hackers and identity thieves. It is scary how easy it is. Free WiFi networks provide hackers, identity thieves and spammers alike with a smorgasbord of opportunities to steal private user information like passwords, usernames, and credit card information,” said Schumer. “The quickest and easiest way to shut down this one-stop shop for identity theft is for major websites to switch to secure HTTPS web addresses instead of the less secure HTTP protocol, which has become a welcome mat for would be hackers.”
Schumer noted that easy-to-use programs, like Firesheep have made tapping into someone else’s computer, which at one time was a much more complicated and sophisticated process, easy for individuals who have little-to-no programming experience, opening the door to a greater population of would-be identity thieves. Through the unsecure HTTP extension, hackers are able to obtain access to the user’s web browsing history and perform functions on websites as if they were the individuals who were hacked. This ability to invade someone else’s online identity allows the hacker to operate on each website as the victim, potentially allowing the hacker to make purchases with user information, access the users Facebook page, send a Tweet from someone’s Twitter account, and gain access to private information stored on various websites. While some websites at their initial interface with the user encrypt the user provided information, and some allow users to manually opt-in to the HTTPS protocol, none of the websites Schumer wrote to today use HTTPS as the default for all use and browsing.
The growth and popularity of free WiFi access at coffee houses, bookstores and other establishments allow for greater exploitation of the security flaws in HTTP extensions. Users in establishments with WiFi networks that patrons are able to access are all simultaneously operating on the same Internet network, which provides the technological path to access someone else’s computer. While programs like Firesheep that provide access could be targeted by law enforcement officials for restriction, others will swiftly take its place as long as HTTP remains the default protocol for popular websites. It would be next to impossible to shut down each and every program that emerges and that allows access to a user’s cookies. The most significant and direct way to protect users and combat online identity theft would be to change Internet protocols that would create a firewall for access.
According the digital think tank Digital Society, dozens upon dozens of popular websites operate with unsecured web addresses using the HTTP protocol. Despite the fact that this security flaw has been well known since at least 2007, major US websites have been slow in addressing this significant security flaw. Schumer’s letter to the companies asks that they address this vulnerability immediately in order to protect users’ private information and help protect Americans from identity theft.
“This security problem has been known for quite some time and hackers are getting better at creating programs that allow even the most inexperienced users the ability to hack into someone else’s computer,” said Schumer. “With the privilege of serving millions of U.S. citizens, providers of major websites have a responsibility to protect individuals who use their sites and submit private information. It’s my hope that the major sites will immediately put in place secure HTTPS web addresses.”