Ask LH: Why Should I Care About HTTPS ?

Dear Lifehacker, I'm not a huge nerd, but everyone's talking about switching to HTTPS on Facebook because it's so much better. Why is it better and why should I care? Sincerely, Insecure About HTTPS

Dear Insecure,

HTTPS is a significantly more secure version of HTTP, which is the protocol you generally use to load up your web pages (whether you're aware of it or not). HTTP stands for Hypertext Transfer Protocol, so HTTPS stands for the same thing but with Secure on the end of it. This is because, as Wikipedia will tell you, HTTPS is "a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server".

Why You Should Care

So yeah, you get it: HTTPS provides additional security, but what does that actually mean when you're browsing the web every day? It basically means you're protecting your private information from people who want to steal it using readily availably tools like Firesheep.

It means when you enter your password or your phone number or anything personal on Facebook — or any other site offering HTTPS — that data will be encrypted as it flies through the great tubes of the internet.

Think of it like this: you're having a private conversation with your new boyfriend or girlfriend, and your ex — unbeknownst to you — is a few tables over listening to every word. That's the sort of risk HTTP poses, whereas HTTPS would be more like if you and your new romantic interest were speaking a new language that only the two of you understood. To your stalker of an ex, this information would sound like gibberish and s/he wouldn't get any value from listening if s/he tried. HTTPS is a way for you to exchange information with a web site securely so you don't have to worry about anyone trying to listen in.

OK, I Want HTTPS Right Now!

Good choice! Enabling HTTPS in Facebook is very easy. Just visit your Account Settings page, select Account Security (it's the third option from the bottom), and you'll find a checkbox to enable HTTPS under the Secure Browsing header. That's all you have to do.

What about everywhere else? Well, HTTPS is enabled by default on most sites that take sensitive information like your credit card number, so you're generally good to go when buying online. Every browser has its own way of representing whether a site is secure, but generally you'll see a lock icon in your browser's address bar. There are varying degrees of security, however, since sometimes emails have attachments coming from insecure sites (more info on that here). If you want HTTPS everywhere, the Electronic Frontier Foundation's (EFF) aptly named HTTPS Everywhere is a Firefox extension to provide that functionality. They also recommend KB SSL Enforcer for Chrome users, but have found that it isn't implemented as securely (which could be a limitation of the Chrome extension framework).

So that's HTTPS in a nutshell and why you should start using it as much as possible. Hope that helps!

Cheers, Lifehacker


Comments

    I can't see any option to enable HTTPS in Facebook, it just shows up Account activity logs.

      Yep, me neither. What's the deal, Lifehacker?

        Facebook only launched the feature this week, so it hasn't appeared on all accounts yet - but it should eventually.

    Using HTTPS however isn't much use when government agencies - they have access to SSL certificate signing authorities so they could for example create their own facebook.com SSL cert. This would allow them to sit between you and facebook while you thought you were securely talking to facebook.com but they were actually decrypting your traffic and capturing passwords or inserting javascript without you being any the wiser. There is also the risk that any of the myriad bodies who are able to sign SSL certs either mistakenly or malicously publish a dodgy SSL cert... have a look at the number of SSL cert authorities in your browser - do you really trust all those bodies to sign SSL certs???

    Why do government agencies use http instead of the https is the https is more secure?

      They only use http for their public internet-facing websites.

      For secure communications most governments use completely separate systems that are not connected to the internet.

    More info please!
    The way I understand it, HTTPS first starts up by Computer 1 speaking to Computer 2 and they decide what gibberish language (key) they're going to talk to eachother in today. If stalker ex-boyfriend is listening in to the entire conversation, won't he also hear the first part where the two "talkers" are deciding which language to use? And then be able to decypher the entire conversation using that initial bit of information?

    I've got some tips on how to browse securely on Facebook and Gmail for those interested. http://www.jackcola.org/blog/137-how-to-protect-yourself-online-while-using-facebook-gmail-and-other-websites

Join the discussion!

Trending Stories Right Now