Mastodon

I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important

Occasionally, I feel like I'm just handing an organisation more shovels - "here, keep digging, I'm sure this'll work out just fine..." The latest such event was with NatWest (a bank in the UK), and it culminated with this tweet from them:

This was after a concerned customer and then myself trying to explain to them that serving their home page over a non-secure connection wasn't such a good idea. The "I'm sorry you feel this way" tweet was in response to me laying things out in what I thought was a pretty crystal-clear fashion:

Their original argument - and certainly they're not alone in this misconception - is that because the landing page of the website doesn't have anything sensitive on it then it doesn't require HTTPS:

So, let's just look at the home page for a moment and break down all the problems in the highlighted areas:

Insecure NatWest Landing Page

It's served over HTTP so it's not an encrypted connection and can therefore be intercepted, the traffic read, modified or requests redirect to other locations. We're seeing "Not secure" next to the address bar because I've typed something into the search box. This change began rolling out in Chrome in October and I would opine that "Not secure" is not what you want to see on your bank (although as I've said before, "bank grade" security is not necessarily a virtue either).

And then we have the link to the login page which is the source of much of this controversy. That link takes you off to https://www.nwolb.com/default.aspx which is indeed encrypted. The padlock next to that link is of zero functional value and importantly in the context of this post, is the only padlock on the page because the browser won't give you one due to the non-secure connection!

Here's the problem in the simplest terms I can put it:

NatWest acknowledges that HTTPS is important because they have it on their login page and (presumably), all their banking pages. Agree?

They're using HTTPS because of the aforementioned threats involving someone getting in the middle of the connection and messing with traffic. Still with me?

If someone is messing with traffic then they can modify non-secure requests. Yeah?

The NatWest landing page in non-secure and it serves up this bit of HTML for the login link:

NatWest Login Link

But because of all the things we just agreed on, that link could just as easily be changed to this:

Fake-NatWest-Login-Link

Get it? It's just a "w" versus "uu" change (and yes, you could go and register nuuolb.com right now), then you can go and stand your own site up on that domain and phish the credentials.

Edit: Shortly after publishing this post, NatWest went and registered that domain in what I assume is an attempt to stop a man in the middle intercepting their traffic and making a visually trivial change to a URL. Alarmingly though, nw0lb.com is still available as is nuu0lb.com and it-doesnt-matter-because-that-isnt-the-point.com.

Alternatively, you could do as Scott Helme just demonstrated and use sslstrip to grab everything:

And just as a brief reminder of how prevalent intercepting and modifying someone's traffic is, imagine your ISP injecting hundreds of lines of their own JavaScript into your bank's site:

Now fortunately Comcast is getting the press they so rightly deserve for this, but you can see the point.

We're on a march towards HTTPS everywhere. Almost 70% of web traffic today is encrypted and organisations not getting with the program are being increasingly penalised for lagging behind. A bank - of all sites - should be getting this right or at the very least, taking the discussion offline and deferring to their tech folks. Oh - and Twitter's CSIO has some good advice for these circumstances too ?

These days, the minimum accepted criteria is HTTPS across everything with HSTS preload. If you're not sure where to start, give my 6-Step "Happy Path" to HTTPS a go!

BTW NatWest - while you're fixing stuff, make sure you also reply to people reporting security vulnerabilities:

Edit: A day later and NatWest was on the front of the BBC's tech page:

To their credit, they also very quickly started redirecting the landing page to HTTPS albeit with a couple of glitches:

So to the NatWest folks - kudos for responding quickly! But do read that 6-Step "Happy Path" post and get upgrade-insecure-requests in there pronto.

SSL Security
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals