13

There's this game at http://slither.io which I like to play. Only inputs that I give to it are space bar, and cursor location.

It's not https. Are there any risks?

puio
  • 249
  • 2
  • 6

3 Answers3

26

Yes, there is a risk.

HTTPS ensures not just confidentiality, but also integrity and authenticity. As such, an attacker could hijack the connection between you and the server and inject malicious JavaScript into your session.

How likely is that to happen?

Depends on how you connect to the server. If you are in your own home, then the likelihood is not very big. It's a risk still, don't get me wrong, but I don't want to cause unnecessary paranoia.

On the other hand, if you connect to a public access point (e.g. "free McDonald's Wifi"), then the chance of this happening is much much higher.

How severe is this?

Since there is no sensitive data there, the "usual" things like credential stealing or session hijacking are not applicable. However, depending on how determined the attacker is, they might redirect you to other malicious domains, exploit browser vulnerabilities, get you to download stuff or even get you to disclose credentials for other services (e.g. "Log in with your Google, Twitter or Facebook account to play").

As Eilon has pointed out in the comments, another potentially unwanted side-effect is that your ISP can tamper with the website you use. Some ISPs do this for arguably benign purposes, such as stripping whitespace off the HTML document before sending it to you, while others do more "intrusive" changes, such as compressing images, or even injecting advertisements into the website. While this is not a security-risk per se, it is unwanted behavior that can most effectively be combatted by using HTTPS.

Does that mean you should stop playing?

That depends completely on your risk appetite and whether or not the upsides outweigh the downsides for you personally.

  • 10
    "risk appetite" - I really like that phrase. Haven't heard it before – pushkin Oct 14 '20 at 18:43
  • 4
    IOW the risks are roughly the same as visiting a random website you don't trust, served over https. – R.. GitHub STOP HELPING ICE Oct 15 '20 at 17:34
  • Regarding "If you are in your own home, then the likelihood is not very big.": your internet service provider (ISP) might inject ads into HTTP content, but they cannot inject ads into HTTPS content. This isn't hypothetical: ISPs have done this. The ISP is unlikely to _attack_ you per se, but they could do things you don't want them to do. – Eilon Oct 15 '20 at 22:00
  • 1
    @Eilon Good point. I'll add that –  Oct 16 '20 at 10:55
5

Attacker-controlled javascript within browser sandbox

If you don't have any sensitive or valuable data or inputs within that site, the main risk IMHO is that since it uses HTTP, an attacker can impersonate the site owner and inject malicious javascript. The damage that it can do is limited by the browser sandbox, but it does create at least the following risks:

  1. Silent redirect to a spoofed page

One crude but effective approach for phishing is to wait for when the tab has become inactive, and then redirect to a spoofed phishing page saying something like 'Your e-mail/facebook/whatever session is expired, please log in again' - if the user has many stale tabs (and many do), then they can legitimately believe that they actually did have that service open there, and that it did just expire, and enter their credentials there.

  1. Enumeration and exploitation of local resources

Such Javascript can try and make network connections that would be otherwise prevented by a firewall or simple NAT on your home router, since they are not coming directly from the attacker but from the user workstation. For example, the open source BeEF toolkit (https://beefproject.com/) has some proof of concept modules that try to explore that. If you have unsecure services in your local network accessible via http (for example, a vulnerable local application or a printer or router config page) but not accessible from the public internet, malicious javascript can take you there.

  1. Breaking out of the sandbox

Every now and then, there are browser vulnerabilities that would allow malicious javascript (or other website-supplied content) to 'break out of the sandbox' and achieve arbitrary code execution. Those are rare, but they do exist.

It's worth noting that all these are things that can be done by any website you visit - so the usage of http does not create an additional risk compared to visiting a https page that's hosted by someone you don't trust. So if you feel comfortable opening random links on the internet containing fun stuff, then this is within your risk profile; but if you'd want to limit your browsing to specific well-known, somewhat trusted sites, then the usage of http means that perhaps you'll get not necessarily the site you intended but someone impersonating that.

Peteris
  • 8,389
  • 1
  • 27
  • 35
  • 5
    "It's worth noting that all these are things that can be done by any website you visit - so the usage of http does not create an additional risk compared to visiting a https page that's hosted by someone you don't trust." - this is very important. – user253751 Oct 15 '20 at 10:45
  • True to a point. OTOH, using plain http just means there's more exposure -- every hop your packet goes through on its way to the server is a new launching point for a potential attack, whereas with a https connection to a site, someone has to actually compromise those specific servers to replace content. You're vulnerable to the same attacks either way, but with plain HTTP, it's more potential places the attack can be launched from. – Charles Duffy Oct 15 '20 at 19:58
-3

https is used to encrypt data such as credit card information or other sensitive data, it is always possible that somebody could be a man in the middle and record your mouse movements but i don't think this should be a cause for concern, what can an attacker possibly do knowing you moved your mouse around in a partcular way? i doubt anybody would waste their time to do that. You certainly should not put personal information into it due to it being unsecure though. This game is also an app that gained some popularity some years ago if it makes you feel any better.

Coderxyz
  • 560
  • 4
  • 9
  • 9
    HTTPS is not *just* confidentiality. –  Oct 14 '20 at 11:52
  • I thought it was https is encrypted with SSL and granted a certificate but http is not. Feel free to fill in anything I missed out. – Coderxyz Oct 14 '20 at 11:56
  • 2
    I highly recommend reading this question as a primer: https://security.stackexchange.com/questions/5126/whats-the-difference-between-ssl-tls-and-https –  Oct 14 '20 at 12:01
  • i will give it a read, thanks for recommending. – Coderxyz Oct 14 '20 at 12:03
  • I won't believe that apps are any safer just by the virtue of being apps.. "On December 20, 2019, Twitter fixed a security vulnerability in its Android app that could allow a hacker to take over a user's account and send tweets or direct messages as well as see private account info.[400][401]" https://en.wikipedia.org/wiki/Twitter#Privacy,_security_and_harassment – puio Oct 14 '20 at 12:22
  • 1
    @puio, you're very much right about that -- typically, browser pages are in a more restrictive sandbox than native applications are. – Charles Duffy Oct 15 '20 at 00:00
  • @Coderxyz, ...so, you're right that https is encrypted, but the purpose of that encryption is not just to prevent others from _seeing_ the data that's transferred; it's also to prevent others from _modifying_ the data that's transferred. If you don't use SSL, you don't know that the game you're playing is the same game the people running the web server for the game are serving; it could be modified by someone in the middle (f/e, running a mutating proxy on the wifi network you're using) to try to exploit your browser's security bugs, or serve popunder ads, or who-knows-what. – Charles Duffy Oct 15 '20 at 00:01