Over the last twenty years or so, the Internet has grown in size and popularity to an extent that would have previously been unimaginable to most of us. Central to this success is the encryption protocol that allows us to access websites and web services securely. Without this protocol, you could not shop online without your credit cards being stolen, and there would be no online banking or online tax returns. This protocol is called HTTPS.
HTTPS stands for HTTP Secure (or HTTP over SSL/TLS), and it is the cornerstone of all security on the Internet. Traditionally, use of HTTPS was largely limited to websites that required security (for example online banking websites), or was deployed on otherwise unsecured websites only where security was needed (for example commercial websites’ shopping basket and payment processing pages).
In the wake of Edward Snowden’s revelations about the scale of mass and indiscriminate government surveillance, however, public concern over Internet security has grown considerably. It is now increasingly common for websites to use HTTPS in order to protect visitors’ privacy, even on websites where no sensitive data is processed.
This process has been accelerated by industry support for greater HTTPS use. For example, Mozilla now depreciates non-HTTPS secured search results, and the Electronic Frontier Foundation (EFF) has pushed for greater use of HTTPS with its Let’s Encrypt campaign.
How can I tell if a website is secure?
It is easy to tell if a website you visit is secure – just look for a closed padlock icon to the immediate left of the main URL/Search bar. If you see a padlock, then you know that the website is secure.
Most browsers will also display https:// before the web address in the URL bar (although some, such as the new Microsoft Edge browser, do not).
If the padlock icon is green, it means that the website is using an Extended Validation Certificate (EV), which in theory should provide greater trust in the website. It shows that the website has verified its domain name, and that the domain name belongs to the company you would expect to own the website. For example that www.google.com does indeed belong to Google.
How does HTTPS protect me?
When you visit a regular (HTTP) website that is not secured with HTTPS, everything you do on that website can be watched by your ISP, or anyone who cares to poke their nose in (such as criminal hackers or the NSA).
When a website uses HTTPS, everything you do when you visit that website is protected from prying eyes using TLS encryption. Your ISP (and anyone else watching) can see that you have visited a certain website, but cannot see what you subsequently get up to on that website.
Because HTTPS uses end-to-end encryption, all data that passes between your browser and the website is securely encrypted. A side benefit of this is that it is safe to connect to HTTPS websites even when using an insecure Internet connection (for example when using a public WiFi hotspot).
In addition to this, the TLS authentication used helps to protect against Man-in-the-Middle (MitM) attacks. It does this by verifying that the website your browser connects to indeed the website it thinks it is connecting to.
For the geeks out there, HTTPS uses X.509 Public Key Infrastructure (PKI). Using this asymmetric key encryption system, a web server presents your browser with its public key, which the browser decrypts using its private key. MitM attacks are prevented using HTTPS Certificates, which digitally bind a website’s public cryptographic key to an organisation’s details.
These HTTP Certificates are issued by recognised Certificate Authorities (CAs), which certify that a website’s public key is indeed owned by the party named by the certificate. If your browser recognises the CA that has validated a website’s HTTPS Certificate, it will accept the connection as genuine, and display a locked padlock icon.
Is HTTPS perfect?
The first thing to stress is that HTTPS is very good! If it wasn’t, then the Internet as we know it would have collapsed long before now! Nothing however, is entirely perfect. If you paid attention to the last couple of paragraphs, it should be clear that HTTPS relies on a web of trust. If a Certificate Authority starts to issue dodgy HTTP Certificates, then the entire system falls apart.
Unfortunately, there are currently some 1200 recognised CAs, and these can (and have been!) been leant on by governments (the main culprit), hacked by criminals, or intimidated by organised gangs. Equally unfortunately, there is no way to revoke a bad certificate short of each browser developer issuing an updated version of their browser.
If issued a fake certificate issued by a compromised CA, your browser will accept is as genuine.
A more theoretical weakness with HTTPS is highlighted in a 2014 research paper, which showed that detailed traffic analysis could identify individual webpages visited on an HTTPS secured website with 89 per cent accuracy.
Before you panic, however, it should be noted that this method relies on performing a highly targeted attack against a specific individual. If you are of that much interest to a technologically adept and powerful adversary, then you are probably in deep trouble anyway!
Your takeaway from this article should be that HTTPS is good. Very good. Regardless of any flaws it might have, it is the best (and to all intents and purposes, only) system we have to secure our online transactions and other sensitive data. It also helps provide a degree of privacy from NSA-style spying, and will protect you when using insecure Internet connections. Just look for the locked padlock!
Douglas Crawford, editor at BestVPN.com, an independent online security comparison service
Image Credit: Nixx Photography / Shutterstock