Is HTTPS really safe way to browse the WEB?

Certainly visiting websites such as your bank account or email via HTTPS is much safer than just by using HTTP. At least it should protect you from Man-in-the-middle-attack. But please remember that HTTP can set cookies that can be read in HTTPS space because cookies don’t follow the same origin policy in the way that JavaScript does. It’s has been known that accessing first page of the website via HTTP and then continue via HTTPS is not-so-secure-as-you-think.

However, even if you accessed the website via HTTPS from start it doesn’t guarantee you full protection.

Consider:

1) you visit https://secure.example.com/ which drops a cookie on your browser

2) you then visit http://www.google.com/ however a MITM inserts

<div style='visibility:hidden'>
   <iframe src='http://secure.example.com/'></iframe>
<div>

3) MITM sniffs your cookie from the request on the iframe

Or even if you (deliberately) navigate from https://secure.example.com/ to http://secure.example.com/ then the attacker doesn’t even have to inject any HTML to sniff the cookie.

And then there’s also the possibility of session fixation – where even if the cookie dropped by https://secure.example.com/ has the secure flag set, that’s no use if it sends back a session id it received in a non-secure cookie (again set via MITM).

But things became more obscure when we think about  consecutive requests. Just because the main page is using plain http doesn’t mean that the data sent to the server isn’t using SSL (and vice versa). Check out the Google’s Search page source and look at the URL the search button sends the form data to.

In conclusion I can say the following: use HTTPS from start for the most important resources for you and do not access them (even via HTTPS) from untrusted networks, such as public WiFi – there is still a possibility to be hacked.