- Dec 30, 2012
- 4,809
Interesting read!
We often say, “HTTPS is secure,” or “HTTP is not secure.” But what we mean is that “HTTPS is hard to snoop and makes man-in-the-middle attacks difficult” or “my grandmother has no trouble snooping HTTP.”
Nevertheless, HTTPS has been hacked, and under some circumstances, HTTP is secure enough. Furthermore, if I discover an exploitable defect in a common implementation supporting HTTPS (think OpenSSL and Heartbleed), HTTPS can become a hacking gateway until the implementation is corrected.
HTTP and HTTPS are protocols defined in IETF RFCs 7230-7237 and 2828. HTTPS was designed as a secure HTTP, but saying HTTPS is secure and HTTP is not still hides important exceptions.
Virtual machines (VMs) and containers are less rigorously defined, and neither was intentionally designed to be more secure than the other. Therefore, the security issues are still murkier.
More
We often say, “HTTPS is secure,” or “HTTP is not secure.” But what we mean is that “HTTPS is hard to snoop and makes man-in-the-middle attacks difficult” or “my grandmother has no trouble snooping HTTP.”
Nevertheless, HTTPS has been hacked, and under some circumstances, HTTP is secure enough. Furthermore, if I discover an exploitable defect in a common implementation supporting HTTPS (think OpenSSL and Heartbleed), HTTPS can become a hacking gateway until the implementation is corrected.
HTTP and HTTPS are protocols defined in IETF RFCs 7230-7237 and 2828. HTTPS was designed as a secure HTTP, but saying HTTPS is secure and HTTP is not still hides important exceptions.
Virtual machines (VMs) and containers are less rigorously defined, and neither was intentionally designed to be more secure than the other. Therefore, the security issues are still murkier.
More