With the rise in high-profile hacking attacks, digital security has become a primary concern and has made encryption more mainstream than ever. Features like Whatsapp’s end-to-end encryption and iPhone’s newly encrypted storage show the rising popularity of securing digital data. However, there is one form of encryption that has been in use for years, and without realizing it, you probably use it every day. It’s called Hypertext Transfer Protocol Secure, or “HTTPS,” and it is widely used by websites to make users’ browsing experiences safer and more secure. But what is HTTPS? How is it different from the regular “http?” And, most importantly, why should you care?
HTTPS is secure version of the protocol used to connect to websites. It provides a layer of protection on top of the regular protocol, HTTP.
When you visit a website using normal HTTP, your browser finds the IP address associated with the URL you’re trying to access, connects to it, and then sends all of the data in plain, unencrypted text. This method is problematic for two reasons.
One: If someone is monitoring your connection – for example, spying on a public wifi network – they would be able to read all of the data that is sent from your browser to that website, including sensitive information like passwords or financial details. This information can also be read by your internet service provider.
Two: Browsers have no way to verify that the website you are visiting is legitimate. If the WiFi network you are connected to has been compromised and is redirecting you to an imposter website, there would be no way for your browser to tell. Both of these weaknesses can lead to theft of passwords, credit card information, and other private data.
HTTPS fixes both of those issues and provides a more secure browsing environment. It adds two layers of security on top of normal HTTP and is enabled whenever you see an address starting with “https” or a lock icon in your browser’s address bar.
The first advantage that HTTPS provides is making sure that the website you’re connecting to is legitimate. When using HTTPS, the website you’re connecting to provides a digital certificate to prove it’s authenticity. The certificates are cryptographic “keys” issued by third-party companies and are theoretically impossible to forge. Once the browser receives the certificate, it checks it to verify that you’ve connected to the legitimate website. If the network you’re on is compromised and is redirecting you to a spoof website, the browser won’t be able to verify the key and will alert you that something is wrong.
Using the certificate and other cryptographic methods, the browser also encrypts all of the data that’s being sent to the website. Passwords, emails, financial details, and all other pieces of information sent to and from the website are protected. The browser automatically encrypts the data in a way which ensures that only the proper recipient – the website itself – can understand it. Anyone monitoring the connection, including your ISP, would only be able to see garbled nonsense. That way, sensitive information cannot be stolen from you while you use the internet.
HTTPS is great, but it’s not perfect. HTTPS depends on companies that issue certificates. While the certificates themselves cannot be forged, companies who make them could be hacked and used to issue illegitimate certificates, as in the case of the company Diginotar in 2011. Since the whole system relies on the certificates being legitimate, it breaks down when some are not. Luckily, this kind of attack rarely happens, and the companies are quite good when it comes to their own security.
Another issue that the protocol has is that it can only encrypt what’s being sent to the website, but not which website is being visited. This means your ISP, or somebody monitoring a public wifi network, can still see what websites are being accessed. If you are interested in hiding what websites you visit, you can use a virtual private network.
Lots of websites offer an HTTPS version to connect to, but some don’t use HTTPS by default. To make sure you are always using a secure protocol when possible, you can use the HTTPS Everywhere extension. The extension will ensure that whenever you connect to a website that supports HTTPS, it uses that protocol instead of the less secure HTTP. It works out of the box with hundreds of website, and you can configure it to enable HTTPS on even more websites.
HyperText Transfer Protocol Secure is a great piece of technology which helps bring the advantages of encryption to the web. Best of all, you don’t even have to do anything to use it – it works in the background, automatically. As more and more websites begin to use HTTPS, I predict we’ll soon see a widespread adoption of the protocol, and when that happens, it will lead to a safer and more secure internet for everyone.