Newly discovered HTTPS flaw can expose supposedly secure URLs to wireless evesdropping

By Justin Pot July 26, 2016

https vulnerability public wifi leak urls internet coffee shop — Image used with permission by copyright holder

When you use HTTPS, the addresses you visit are supposed to be encrypted, regardless of what network you’re connected to. A newly discovered vulnerability proves that’s not necessarily true.

If you’re connected to an insecure wireless network, especially one that isn’t vouched for, HTTPS alone won’t protect you, security researchers Itzik Kotler and Amit Klein said this week in a talk at the Black Hat security conference in Las Vegas. With the right configuration, a malicious network could discover every supposedly protected URL you visited.

“We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs,” says the talk’s description.

The vulnerability potentially affects Windows, Linux, and Mac computers regardless of browser: IE, Safari, and Chrome. But don’t panic about this affecting you at home, or at work. If you connect to a secure network, this doesn’t affect you. Instead, it’s something owners of supposedly free Wi-Fi networks could set up as part of a phishing operation.

It’s worth noting that the content of the sites you visit is not revealed by this vulnerability. But many sites put vital information, including usernames and even passwords, into URLs over HTTPS. It’s a bad security practice, but some developers assume that HTTPS protects information in such cases.

In other cases, even sharing the URLs you visit is too much information to give potential hackers.

The only way to truly be safe from exploits like this is to not connect to networks you cannot vouch for. If you’re in a coffee shop, verify that it offers Wi-Fi, and the network’s name, before connecting.

And even if an unsecured network is vouched for, assume that your information still might not be secure, even if you’re using HTTPS. Check out our guide to browsing the web privately, then set up a VPN or Tor to browse anonymously even on public networks. Even then, avoiding untrusted networks is probably the best bet.

Exploits like this prove that public Wi-Fi networks aren’t without risk, so take the time to inform yourself. It’s worth it.

Editors' Recommendations

Topics

Former Digital Trends Contributor

Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…

Computing

This Serta office chair is on sale from $360 to $230

The Serta Smart Layers Brinkley Manager Chair on a white background.

Are you on the hunt for office chair deals? Here's one that should help boost your productivity -- the Serta Smart Layers Brinkley Manager Chair for only $230, following a $130 discount from Lenovo on its original price of $360. We're not sure how much time is remaining before you lose the chance to get this office chair at 36% off though, so if you're interested in this offer, we highly recommend that you push through with the transaction as soon as possible. Any delay may cause you to miss out on this bargain.

Why you should buy the Serta Smart Layers Brinkley Manager Chair
For an office chair that provides both comfort and performance, you can't go wrong with the Serta Smart Layers Brinkley Manager Chair. It features five layers of foam with ComfortCoils that are individually wrapped, for the ability to provide relief on the critical pressure points of the body while maintaining pleasant temperatures even during extended use. The office chair's ergonomic design, lumbar support, and waterfall seat cushion makes it even more comfortable so you won't get body pains when your daily workload forces you to sit for several hours each day.

Computing

Best router deals: Save on mesh networks and Wi-Fi 6 routers

The Netgear Nighthawk AXE11000 Tri-Band Wi-Fi 6E Router on a table.

If you haven't bought a router in a while, now is really the time to do it, as a lot of modern routers are better suited to a world where you might connect several devices to one router at the same time. In fact, part of the new Wi-Fi 6 and Wi-Fi 6E standards is built around the concept of the Internet of Things and connecting to dozens of devices. That's great if you have a lot of smart home gear you need to connect without getting a ton of latency; plus, the newer standard helps with working around congested airwaves where everybody has some form of router and Wi-Fi connection running.
Of course, there are a lot of routers to pick from out there, and if you don't have a lot of tech-savvy, it can be overwhelming. That's why we've gone out and found our favorite router deals that will give you the best bang for your buck, and that includes mesh router deals too.

Best Router Deals
TP-Link Archer AX3000 -- $83, was $130

Computing

HP is practically giving away this QHD conferencing display

The HP Z24m G3 QHD conferencing display on a white background.

Not all monitor deals will get you a display that's designed for conferencing purposes. If you were hoping to get one for cheap, check out this offer from HP -- a $359 discount for the HP Z24m G3 QHD conferencing display that pulls its price down to a very affordable $150 from its original price of $509. This 70% discount will only be available for a limited time though, so if you're interested in this screen, there should be no hesitation with your purchase. Add it to your cart and push forward with the checkout process immediately.

Why you should buy the HP Z24m G3 QHD conferencing display
HP Z24m G3 QHD conferencing display is equipped with helpful conferencing features, such as a 5MP webcam and noise-cancelling microphones so that you'll look and sound crystal clear during your online meetings, and recessed speakers that are located within the screen's borderless frame to help you follow discussions closely. The monitor is also equipped with HP Presence, which will let you access conferencing solutions that enable seamless connections, meeting optimizations, and real-time insights.