What is HTTPS and Why is it so damn Important?
If you’re like most people, you probably don’t spend a lot of time thinking about the thousands of technologies that underlie your internet experience. As long as you can type in an internet address and the page you wanted pops up a few seconds later, all is well right?
The problem is that information is passing between your computer and the computer that hosts the website you’re visiting. On the way, that information has to pass through many other devices on the internet. That means someone else can capture those packets of data and inspect them. If you don't do something to protect that information they'll see everything that your sending and receiving as clear as day. What if it's very sensitive information, like a credit card number? It's a scary thought, but if the site you are visiting is using HTTP instead of HTTPS that's exactly the sort of situation you'll be in.
Wait, What's HTTP?
Before we can get to know how HTTPS protects your precious data, it's a good idea to first talk about plain old HTTP.
The acronym is short for hypertext transfer protocol. Sounds fancy right? "Hypertext" is actually just the proper name for the links that exist within web pages. The fundamental technology of the web is after all the ability for pages to link to each other.
In the very early days, a web page would have simply contained plain text and hypertext links. These days web pages are obviously much more complex than just text and links. They have formatting, pictures, video, sound and much more. This is thanks to the latest version of HTML or hypertext markup language. This is the code that websites are written in.
Notice that both acronyms mention hypertext, and that's because they have very specific jobs when it comes to hypertext.
HTTP, being a protocol, describes how the HTML document should be transferred from the server to your computer. Together they make the part of the internet known as the world wide web work.
OK, So What Does HTTPS Do?
What's the difference between HTTP and HTTPS? Obviously, it's the "S" at the end! If you were wondering, it stands for "secure" and that's because HTTPS adds all-important technology to this standard web protocol to prevent the wrong eyes from seeing your information.
How does it do this? Let's look at the normal HTTP process for comparison.
When you use your web browser to look up a web page, it asks a DNS server for the IP address of the website address you typed in. The DNS server gives it the address and the browser establishes a connection to the server waiting on the other end. The HTTP protocol lets these two computers understand each other and they begin sending information back and forth.
Great, but There are Issues
HTTP technology and really the internet itself wasn't created with the idea that the different computers would have trust issues with each other. There were only going to be a few of them and they'd be places like universities and large business.
That's obviously not how it turned out. Billions of people are using the web today and the entire network is buzzing with sensitive transactions all the time. Because of the total lack of security in HTTP that opens up several serious risks.
The first one we've already addressed: eavesdropping. Your data gets intercepted and used for all sorts of criminal purposes.
The second is a little more sophisticated. What if the DNS server we talked about just know gives your computer the IP address of a fake website? The address looks right, but the actual site is a fake meant to trick you. With plain HTTP there's no real way to verify that the server you are connected to is really the one you should be connected to.
The third problem is that plain HTTP websites are vulnerable to modification if intercepted. For example, if your internet service provider wanted to modify the site before it gets to you, there's nothing that stops them from doing it. This means they can block content or otherwise sensor your browsing. By extension, your own government could interfere with the flow of information.
The answer to this is encryption and that's what the big "S" in HTTPS brings to the table.
HTTPS and Certification
When your browser connects to an HTTPS website, it's presented with a digital certificate. This certificate is evidence that the website you're connected to is the one you meant to visit. This is possible because the certificate is issued by a trusted central authority. It also contains a unique signature and other information that makes it virtually impossible to fake. At least if everything is done right.
This is why you can shop and bank on the internet with peace of mind. That being said, plenty of people are still caught out by a type of scam known as phishing. This is where you are sent a link in an email claiming to be from the legitimate website but are taken to a different site meant to look like the real thing. If you type the correct address in yourself, however, there's virtually zero chance of going to the wrong website.
HTTPS and Encryption
The key technology behind HTTPS, digital certificates and all the rest is encryption. This is the art of taking a plain text message as with HTTP and then encoding it so that only those with the right digital key can get the plain text back again.
This isn't just some simple code that anyone can crack either. Modern encryption standards are so strong that even the fastest supercomputers in the world would take thousands and thousands of years to break the encryption. Any properly-configured HTTPS website is going to keep your interactions with it safe with an incredibly high degree of security.
How to Make Sure You're Using HTTPS
HTTPS is a wonderful technology, but not everyone is using it. So how can you know if the site you are visiting is properly secured with HTTPS? The good news is that the latest versions of all modern browsers have clear indicators to show you if a site is secure or not.
For example, here I'm visiting a website that isn't secured.
You can usually see a warning message right next to the address bar. It's common to show an open padlock to signify there is no HTTPS.
The other clue, which is rather obvious, is that the site address starts with "https".
However, one important factor to consider is that any website can get a certificate that validates its domain name. If you created a website called g00gle.com, you could make it HTTPS and get a certificate. So despite being HTTPS and certified it's still a scam site that will fool a bunch of people. The only real defense against this is to enter addresses yourself and make sure the URL is 100% correct.
In other words, just because a site is encrypted and certified, it doesn't mean the site is above board. If it's an online store or something you've never heard of before, you should check third-party sources to make sure they can be trusted.
HTTPS is Becoming the Norm
Although HTTPS was created to only secure some aspects of web use, most sites are choosing to encrypt and secure all their web traffic.
There are a couple of reasons for this, but the increasing threats to privacy through the harvesting of seemingly innocent data is a big part of it. Even search engines such as Google are now encrypting your searches. After all, you don't want to get in trouble for the sorts of things you search for right?
Because computers (including web servers) are getting so much faster, the burden of decrypting web traffic is becoming trivial. Since HTTPS is becoming such a low-hanging fruit, the question is why you wouldn't want to use it. Now whether you want to.
There's also the arrival of HTTP/2. This new protocol brings massive performance advantages to the web along with a long list of awesome features. In order to make use of HTTP/2 with a modern browser, HTTPS is required.
Even Google has an intentional pro-HTTPS bias. Secure sites basically rank better, which is acting as a major incentive to get sites secured. If the web as a whole is making the shift to HTTPS, that's probably a good sign that you should care whether a given site is secure or not!
How to Get HTTPS Everywhere
Although this positive trend is ongoing, there are still millions of sites out there that still don't have HTTPS protection. This can be for various reasons, but it's often older sites that lack maintenance or small amateur operations. Is there any way to extend the safety blanket to these sites as well?
Actually yes! The Electronic Frontier Foundation has created browser extensions for just about every major browser. It's called HTTPS Everywhere and uses sophisticated methods to recode HTTP sites into HTTPS on the fly. It fixes multiple common security errors for these sites and makes your overall browsing that much safer.
Is HTTPS Enough?
Despite how awesome HTTPS is and the good things it's doing for the web, it really isn't enough for great overall privacy and security.
Remember that HTTP traffic is only one of many different protocols and internet applications. You might be sending files via FTP or downloading torrents. There are apps sending information back home without any indication of whether it's encrypted or not. So while HTTPS is essential, if you really want to ensure that all of your internet traffic is protected by the same encryption that HTTPS employs.
The answer is to use a VPN or virtual private network. This technology creates a network "tunnel" and then funnels all of your data packets through it. Everything gets encrypted so that no one can eavesdrop on you. Combined with HTTPS, a VPN covers almost all of your bases and is a fine security setup for most regular users. If you don't know where to start when looking at VPNs, give ExpressVPN a try. It's a great all-around choice.
Holistic Security is the Rational Choice
In order to benefit from modern internet technology while balancing the privacy and security risks it brings, you have to take a holistic approach. In other words, you can't just trust in a single technology or strategy and then hope all will be well.
HTTPS is part of a security toolset that involves all sorts of approaches. For one thing, you need to stay streetwise when it comes to the web. Knowing the most common scams and signs of fraud will save you when technology can't.
Your technological solutions also need to be flexible and effective. Combining HTTPS, VPNs, virtual machines and services like Tor can provide privacy and security equal to more than the sum of their individual parts. Understanding HTTPS' purpose and role in this wide world of security technology helps you craft the right solutions for you. So now you know the most important facts about HTTPS. No more excuses for unsecured browsing!