Assistant research scientist Dave Levin (left) and assistant professor Tudor Dumitras worked to analyze website certificates in order to identify administrators who are leaving their users vulnerable to attacks.
The cliche about the Internet is that you never really know who you’re talking to online. The nice girl from New Jersey you chat with could be a man from Minnesota. The African prince who offers you money might not be from Africa at all.
People know this is true about individuals, but they don’t often realize that entire websites can be shams. What may look like an online shopping or banking website may be a facade set up by hackers to steal information.
A pair of university researchers analyzed online security and found that a majority of websites did not follow proper security protocols before or after the Heartbleed leak during April, an oversight which could have allowed these websites and their users to be compromised.
Dave Levin, an assistant research scientist at the computer science department, said researchers set out to see if websites were protecting themselves properly.
“It turns out the answer is no,” Levin said.
To confirm identities and website security, companies give each website a certificate, which often appears as a lock icon to the left of a domain name in most browser windows. With help from other researchers from Northeastern University and Stanford University, Levin and Tudor Dumitras, a computer and electrical engineering professor, discovered an alarmingly high number of websites do not have the correct certification, even after the Heartbleed leak, he said.
Using a database of the Alexa top 1 million websites, they found 90 percent of websites updated their patching after the leak, Levin said. Caused by a software bug, Heartbleed allowed hackers to read private information from servers, and the patch would directly stop the bug from being exploited. But Levin said more protection is necessary.
Levin said that 27 percent of websites that should have reissued their certification did, and 13 percent of sites that should have completely revoked their certification did.
“Tens of thousands of websites absolutely should have revoked their certificates,” he said.
Even if the patch was updated, any of these sites that did not have updated certification could have been vulnerable.
“There are two main attacks that can be done,” Dumitras said. “One of them is a phishing attack, so you go through the site, and the site says, ‘I am Bank of America,’ so you type in your password, your username and some other private information.”
The other is a “man-in-the-middle-attack,” said Dumitras, who along with Levin works in the Maryland Cybersecurity Center, a lab in the university’s Institute for Advanced Computer Studies.
“You go to that site believing it’s Bank of America,” he said. “The site would forward you to the real Bank of America, and then you would do the regular transaction that you wanted to do with the bank, but then this site would be able to see everything you do.”
Certifications might not have been updated because of the manual work it requires, but Levin said this is a major security problem that needs to be fixed.
“This wasn’t just about Heartbleed,” Levin said. “We don’t just need to fix this for the Heartbleed vulnerability — even though we do need to fix it for this because it won’t go away for years — but we need to fix this for future vulnerabilities as well.”
Phyllis Dickerson Johnson, the communications director for the Division of Information Technology, wrote in an email to The Diamondback that the university’s services under DIT control were not affected by Heartbleed. Students should apply software updates and patches promptly to protect themselves, she wrote.
