FOR IMMEDIATE RELEASE: February 28, 2011
SCHUMER: WIRELESS NETWORK CONNECTIONS AT COFFEE HOUSES AND BOOKSTORES ALLOW EASY ACCESS TO HACKERS; ALLOWS THEM TO STEAL PRIVATE INFORMATION ON USERS OF POPULAR WEBSITES LIKE TWITTER, YAHOO, AND AMAZON
United States Senator Charles E. Schumer today called on providers of major websites in the United States, like Twitter, Yahoo, and Amazon, to switch default web addresses from the standard HTTP protocol to the secure HTTPS protocol after reports that hackers are granted easy access to users’ private information through common wireless networks found at coffee houses and book stores throughout New York and the country. Schumer pointed out that the proliferation of easy-to-use hacking programs allow identity thieves easy access to private information, like passwords, user names, credit card information, and browsing history that is stored in cookies of users of the same wireless network.
“The number of people who use WiFi to access the Internet in coffee shops, bookstores and beyond is growing by leaps and bounds, but these users are unaware that they are easy prey for hackers and identity thieves. It is scary how easy it is. Free WiFi networks provide hackers, identity thieves and spammers alike with a smorgasbord of opportunities to steal private user information like passwords, usernames, and credit card information,” said Schumer. “The quickest and easiest way to shut down this one-stop shop for identity theft is for major websites to switch to secure HTTPS web addresses instead of the less secure HTTP protocol, which has become a welcome mat for would be hackers.”
Schumer noted that easy-to-use programs, like Firesheep, have made tapping into someone else’s computer, which at one time was a much more complicated and sophisticated process, easy for individuals who have little-to-no programming experience, opening the door to a greater population of would-be identity thieves. Through the unsecure HTTP extension, hackers are able to obtain access to the user’s web browsing history and perform functions on websites as if they were the individuals who were hacked. This ability to invade someone else’s online identity allows the hacker to operate on each website as the victim, potentially allowing the hacker to make purchases with user information, access the users Facebook page, send a Tweet from someone’s Twitter account, and gain access to private information stored on various websites. While some websites at their initial interface with the user encrypt the user provided information, and some allow users to manually opt-in to the HTTPS protocol, none of the websites Schumer wrote to today use HTTPS as the default for all use and browsing.
The growth and popularity of free WiFi access at coffee houses, bookstores and other establishments allow for greater exploitation of the security flaws in HTTP extensions. Users in establishments with WiFi networks that patrons are able to access are all simultaneously operating on the same Internet network, which provides the technological path to access someone else’s computer. While programs like Firesheep that provide access could be targeted by law enforcement officials for restriction, others will swiftly take its place as long as HTTP remains the default protocol for popular websites. It would be next to impossible to shut down each and every program that emerges and that allows access to a user’s cookies. The most significant and direct way to protect users and combat online identity theft would be to change Internet protocols that would create a firewall for access.
According the digital think tank, Digital Society, dozens upon dozens of popular websites operate with unsecured web addresses using the HTTP protocol. Despite the fact that this security flaw has been well known since at least 2007, major US websites have been slow in addressing this significant security flaw. Schumer’s letter to the companies asks that they address this vulnerability immediately in order to protect users’ private information and help protect Americans from identity theft.
“This security problem has been known for quite some time and hackers are getting better at creating programs that allow even the most inexperienced users the ability to hack into someone else’s computer,” said Schumer. “With the privilege of serving millions of U.S. citizens, providers of major websites have a responsibility to protect individuals who use their sites and submit private information. It’s my hope that the major sites will immediately put in place secure HTTPS web addresses.”
A copy of Schumer’s letter can be found below.
Dear [Provider of Major Website],
As the operator of one of the world’s most popular websites, you provide a valuable service to internet users across America. With the privilege of serving millions of U.S. citizens, however, comes the responsibility to protect them while they are on your site.
I am writing to you today because your site currently does not appear to have a secure HTTPS protocol as its default. When consumers use your site on the standard HTTP protocol, their activity and data – including sensitive personal information – is vulnerable to monitoring by anyone on their network. That means that a person using one of the increasingly popular public Wi-Fi networks can easily and unwittingly become the victim of malicious hackers.
In an age when consumers are increasingly using public Wi-Fi hotspots, this vulnerability poses a serious threat to security and privacy on the internet. Without HTTPS as the default for all interface with a website, anyone on a Wi-Fi network is subject to snooping. This means that a hacker could view a person’s personal login information, passwords, purchase activity, what kinds of products he is shopping for or articles he is reading, and much more. All of this can be done without the user having any idea; indeed, most consumers don’t even know to check for whether the website they are browsing is using an HTTPS or HTTP protocol, and even fewer would know how to opt-in to the secure version.
I am therefore calling on you to make the switch to a default HTTPS protocol for all browsing on and interface with your site. Many other companies have already made this change, and it would be in the public interest for you to do so as well. Your customers – and my constituents – deserve to have their information kept as safely as possible.
You have already proven yourself to be a leader in the field of internet businesses; I hope you will take this opportunity to step up and become a leader in the field of consumer protection as well.
Charles E. Schumer