MobileActive.org

HTTP, the Hypertext Transfer Protocol, is the data communication protocol you use when you broswe the web - as you probably know if you've noticed that website addresses usually begin with http://. HTTPS is the secure version of HTTP, which you might have seen being used for sensitive transactions like online banking and online shopping. When you are using the secure part of a site, the web address will begin with https://.

When using your mobile phone for sensitive communications, it is important to ensure that your online activities - whether researching or reading about an issue, sending an email, writing a blog post or uploading photos - are done over a secure connection. There are three elements of secure web browsing:

• Data must be transmitted in encrypted form, so that if it is intercepted it is unreadable.
• The identity of the website must be verified before sensitive data is transmitted.
•  If you do not want anyone to know that you are accessing a site, the source of the transmission (i.e. you) must be hidden, or anonymized.

HTTPS provides the first two of these. The identity of the remote site is verified by checking for a certificate, and the certificate is used to encrypt the transaction so that only the sender and the positively identified remote site can decrypt it. If you also need to anonymize your data, you should use a proxy or a service like Tor in addition to HTTPS.

Am I Browsing Securely?

To make sure that you are browsing securely, look for the following:

• A web address that starts with https://
• A lock icon, or other indicator from your browser that it has verified the site’s certificate and is encrypting all data transmissions to and from the site. If the lock icon is broken, open, or has an exclamation mark or question mark over it, you may not be browsing securely.

It’s a good idea to check for these two things whenever you are entering sensitive data - your username and password for an online account, your credit card details, a photo or video. Be aware that some sites may only support https for certain activities. Others, like Twitter and Facebook, may allow you to activate a setting to always use https, but still use http by default on the mobile version of the site.

Can Communications over HTTPS Be Compromised?

Even when using HTTPS, it is possible (though much less likely) that your communications can be eavesdropped. The two attacks below are used to obtain the unencrypted contents of your communication, which may include passwords, identity numbers, or credit card details.

• A man-in-the-middle attack occurs when someone on the same network as you (commonly on an open WiFi network, which you should avoid for sensitive activities) intercepts communication between you and a remote site. You think you are communicating with the remote site, but you are communicating with the man in the middle. The remote site thinks they are communicating with you, but they too are deceived. The man-in-the-middle sees both sides of the communication unencrypted.
• An attack on a certificate authority (CA) occurs when an attacker aquires control of a certificate issuing authority (CA) and are able to issue fake SSL certificates. In this case, the remote site identifies itself to be exactly who you expect - your webmail, your bank - but is in fact a malicious impersonator. A recent attack on certificate issuing authority  Comodo briefly allowed an Iranian-based attacker to issue valid certificates for Gmail, Skype and Hotmail.

How Can I Make My Mobile Browsing Safer?

Unfortunately, many of the security features we take for granted in modern web browsers are harder to implement in mobile browsers.

• Be particularly cautious about unknown or suspicious-looking sites when browsing from you phone.
• Use a well-patched, up-to-date browser on a PC to check out a site before using it for sensitive communications on your phone.
• When accessing sites you use often, watch out for any unusual warning messages. The warning below is your browser’s way of alerting you to a mismatch between the URL of the website and the URL for which a certificate has been issues. This is usually because of an administrative mistake, but could be a sign of a man-in-the-middle attack.
• If you are using a smartphone, make sure you are receiving updates to your mobile browser as well as to your operating system.

Resources

• A great explanation of man-in-the-middle attacks from Bruce Schneier
• Security company F-Secure’s report on the attack on certificate issuing authority Comodo
• An example of what happens when a vulnerability is discovered in a mobile browser - in this case, Google’s first Android phone, the G1 (note this is a 2008 article).