What is HTTPS, and why should I care?
HTTPS, the lock icon in the address bar, an encrypted website connection—it’s known as many things. While it was once reserved primarily for passwords and other sensitive data, the entire web is gradually leaving HTTP behind and switching to HTTPS.
The “S” in HTTPS stands for “Secure”. It’s the secure version of the standard “hypertext transfer protocol” your web browser uses when communicating with websites.
How HTTP Puts You At Risk
When you connect to a website with regular HTTP, your browser looks up the IP address that corresponds to the website, connects to that IP address, and assumes it’s connected to the correct web server. Data is sent over the connection in clear text. An eavesdropper on a Wi-Fi network, your internet service provider, or government intelligence agencies, or phishers can see the web pages you’re visiting and the data you’re transferring back and forth.
There are big problems with this. For one thing, there’s no way to verify you’re connected to the correct website. Maybe you think you accessed your bank’s website, but you’re on a compromised network that’s redirecting you to an impostor website (the similar situation can be with some e-Stores on the Web). Passwords and credit card numbers should never be sent over an HTTP connection, or an eavesdropper could easily steal them.
These problems occur because HTTP connections are not encrypted. But HTTPS connections are.
How HTTPS Encryption Protects You
HTTPS is much more secure than HTTP. When you connect to an HTTPS-secured server—secure sites like your bank’s (or many others popular websites) will automatically redirect you to HTTPS—your web browser checks the website’s security certificate and verifies it was issued by a legitimate certificate authority. This helps you ensure that, if you see “https://bank.com” in your web browser’s address bar, you’re actually connected to your bank’s real website. The company that issued the security certificate vouches for them. Unfortunately, certificate authorities sometimes issue bad certificates and the system breaks down. Although it isn’t perfect, though, HTTPS is still much more secure than HTTP.
When you send sensitive information over an HTTPS connection, no one can eavesdrop on it in transit. HTTPS is what makes secure online banking and shopping possible.
It also provides additional privacy for normal web browsing, too. For example, Google’s search engine now defaults to HTTPS connections. This means that people can’t see what you’re searching for on Google.com. The same goes for Wikipedia and other sites. Previously, anyone on the same Wi-Fi network would be able to see your searches, as would your Internet service provider.
The presence of HTTPS itself isn’t a guarantee a site is legitimate. Some clever phishers have realized that people look for the HTTPS indicator and lock icon, and may go out of their way to disguise their websites. Other scammers may imitate the lock icon, changing their website’s favicon that appears in the address bar to a lock to try to trick you. Keep an eye out for these tricks when checking your connection to a website.
Yes, HTTPS is not unbreakable, and the SSL protocol has to evolve constantly as new attacks against it are discovered and squashed. But it is still an impressively robust way of transmitting secret data without caring who sees your messages.
There are of course many implementation details not mentioned here, such as the exact format and order of the handshake messages, abbreviated handshakes to pick up recent sessions without having to renegotiate keys and cipher suites, and the numerous different encryption options available at each stage. The key thing to remember is that whilst HTTPS keeps data safe on the wire to its destination, it in no way protects you (as a user or a developer) against XSS or database leaks or any of the other bad things.
Be happy that it’s got your back, but stay vigilant.