The “S” in HTTPS might as well stand for “Sometimes” not “Security.” The purpose of HTTPS is to provide a secure layer that prevents the ability for nefarious actors to eavesdrop on important data traveling over the web. In reality, HTTPS has major gaps in safety exacerbated by the proliferation of mobile devices at the edge.
Root Certificates, The Achilles Heel of HTTPS
While HTTPS is generally secure — and a great protocol for websites when compared to traditional HTTP– it’s not perfect. Compromised root certificates can provide hackers the ability to eavesdrop on mobile devices accessing SaaS applications.
Click to enlarge image
HTTPS Security Challenge 1
HTTPS deployment errors are so common that most agents allow users to override errors reported during the certificate validation process. Yet HTTPS can only provide security for the first hop. If a user is accessing a server that is getting routed through multiple hops — like a content delivery network (CDN) — then HTTPS will guarantee security between the user and the CDN server, but the final server is not secured or validated, and won’t be detected.
HTTPS Security Challenge 2
HTTPS primarily ensures that a certain website either has or lacks a root certificate. And the owner of the website gains certificates by proving they have control of the website and its content.
“The risk is simple, in this scenario HTTPS will not stop the user from accessing a phishing website.” – Kumar Vishwanathan, CTO, Privafy
A Revolutionary Approach For Trust Between Two Endpoints
- As a result, organizations can now create a more robust “peer-to-peer” encryption between the enterprise’s mobile app and their cloud application services.
- Privafy’s proprietary secure channel safeguards the keys — between the Privafy cloud and your endpoints — from being accessed. Now your mobile application’s users can securely access sensitive data hosted by the SaaS application provider or the enterprise.
- Peer-to-peer encryption and incorruptible security between two endpoints fill the security gaps associated with HTTPS. Privafy’s outbound security classifies over 32 billion URLs — not just domains — and goes deeper into each webpage to determine malicious, phishing and illegal websites. The list of URLs keeps getting refreshed every few minutes dynamically, which provides a higher level of sophisticated security than simply relying on only HTTPS.
Finally, since Privafy uses proprietary technology – Absolute Encryption – and cloud based key management coupled with secure client identity verification, the likelihood of any successful brute-force off-line decryption or man-in-the-middle data or PII theft is dramatically minimized.