What is HTTPS? And why is it so important?
I’m pretty sure you’ve heard from multiple sources now, that the green lock at the top of your browser is good. And that sites without them are bad. But what does it really do? And why are everybody so hyped about it?
Whenever you visit a website, you are using the HTTP protocol. HTTP is short for HyperText Transfer Protocol. This protocol allows transfer of so-called HyperText documents.
HyperText is just plain text, but where you can jump between different pages or sections of the text. Basically, the concept allows so-called links to other pages, just like any website today.
When the HTTP protocol was first developed in 1989, everything was transferred unencrypted. This means that anyone on the network could see what you were doing. Not only what you were doing, but also any input you posted to any website. This includes — you’ve guessed it — passwords.
HTTPS was developed five years later than HTTP and is short for HyperText Transfer Protocol Secure or sometimes just HTTP Secure. The general idea is to take everything from the HTTP protocol, but secure it with with a layer of encryption. This means that whatever you do on that website, stays between you and that website. This is good, as passwords, credit card information and personally identifiable information stays private.
But that is not the only thing. The lock also provides you with a guarantee that the website you are visiting, are in fact the one you think it is. Behind the padlock is a chain of certificates. At the start of the chain is the certificate of the website. The certificate contains some information about the website, and how the website should be trusted. You can then follow the chain to a new certificate. This certificate is typically from an issuer, that is issuing certificates to the website. At the end of the chain is a so-called root certificate.
These are certificates, owned by certain trustworthy companies. Every operating system has their own collection of trusted root certificates, so a website might be trusted on a Mac, but not on a Windows machine. The companies behind the few trusted root certificates can technically issue as many certificates as they like to anyone, but their whole business relies on being trustworthy. Therefore they do much work to assure that only the real domain owners are able to issue certificates to their domain.
The green padlock is a symbol, that your connection is secure, but it’s also (.. almost) a guarantee that the website is actually who they appear to be.
Some websites also pay a lot for you to feel secure. Especially financial websites have purchased whats called an EV certificate (short for Extended Validation).
EV certificates require extensive validation and they are not cheap. But in return, the website owners name will be shown right beside this padlock. This is to assure you, that it is actually the domain owner, who’ve gone through the validation.
Now I’ve told you why the green padlock is great, but I have a rebuttal. Certificates can be stolen. Normally, when a certificate is stolen, it is revoked within a few hours to a day. Therefore, this kind of attack is very rare.
One thing you need to take note of is certificates, that looks correct but isn’t. Such is the case with Let’s Encrypt, who’ve has issued 15,270 “PayPal” certificates to phishing sites. Here, we basically talk about websites that have a domain similar to paypal.com — fx. paypal.com-login.net.
Eric Lawrence, a security expert, showcased how good phishing sites have become. And before you look at the image — remember what I told you about EV certificates, because in this example, EV has done its deed.
HTTPS can provide you with safety against eavesdropping, but can never outdo being on guard against phishing.
The padlock does not lie to you. It does assure you that the website you’re visiting is encrypted and verified, but it does not assure you, that you are actually looking at the correct page. You should never blindly trust HTTPS nor the green padlock. Instead, use it as a trustworthy companion.
Always be skeptical — forgetting to do so, can be an expensive mistake.
