In recent years more and more websites now support HTTPS. As an end user what does it mean and why does it matter?

The earlier days of the internet- communicating by HTTP.

In the past it was common for websites and users’ computers to communicate by sending unencrypted human readable text, if you entered “Password01” it would be sent to the website across the internet exactly how you typed it. The problem with this was anyone with a machine on the route between your computer and the website could intercept this and see “Password01” or even amend what was being sent. This is HTTP.

Secure browsing and privacy with HTTPS

In order to prevent machines in the middle being able to intercept and read or modify data a method was devised that allowed both the website and client to encrypt what they were sending to each other to make it unreadable to anyone in the middle, the data is then unencrypted at the other end. The encryption keys and rules for doing this are set up in an initial exchange between the site and client upon connection in a process known as the SSL/TLS handshake. This is HTTPS.

Checking if a site is using HTTPS

The most obvious way to check is to check the address of the site in your browser address bar. If it says https:// at the beginning you are using the more secure protocol, if it says http:// you are not.

Modern browsers also offer a visual indicator usually left of the address.

 The padlock indicates a site using HTTPS in Chrome

 A site communicating by HTTP

Security Certificates

So I can now communicate with a site for example Paypal knowing the traffic is encrypted, but how do I know it is really Paypal? What if someone intercepted my initial message to connect and is sat in the middle with one connection to me and another to Paypal? That is where security certificates come in.

Certificates are issued to sites by Certificate Authorities, your browser also stores certificates from these authorities. The site sends their certificate during the initial handshake and ultimately the browser uses the one it has stored from the corresponding Certificate Authority to prove that a site is who it claims to be.

Checking a certificate

Clicking on the padlock in the top left corner of Chrome and then on the certificate gives me more information.

You can see the certificate is in date and has been issued to paypal.com. Not having a valid certificate doesn’t necessarily mean you aren’t talking to the right site. Occasionally companies will forget to renew these certificates or there can be other problems however it would be highly unwise to send information such as passwords or financial data in this situation. If you continue to browse do so with no expectation of privacy.

In conclusion

You should try to connect via HTTPS whenever possible. Although modern browsers do tend to you warn you, being aware of when and when you aren’t communicating securely and being able to check you are communicating with the real site will make your browsing far safer.

Posted by Jamie Moore (Tekeurope)