You may have noticed in your travels around the internet that your browser’s address bar occasionally turns green and displays a padlock — that’s HTTPS, or a secure version of the Hypertext Transfer Protocol, swinging into action. This little green padlock is becoming vitally important as more and more of your online security is eroded. Just because your ISP can now see what sites you browse on doesn’t mean they have to know all the content your consuming.
Below is the rundown on HTTPS, so you can better understand this first, and easiest line of defence against potential snoopers and hackers.
HTTP or the Hypertext Transfer Protocol is the universally-agreed-upon coding structure that the web is built on. Hypertext is the basic idea of having plain text with embedded links you can click on; the Transfer Protocol is a standard way of communicating it.
When you see HTTP in your browser you know you’re connecting to a standard, run-of-the-mill website, as opposed to a different kind of connection, like FTP (File Transfer Protocol), which is often used by file storage databases. The protocol before a web address tells your browser what to expect and how to display the information it finds. So what about the extra S in HTTPS?
The S is simple. It means Secure.
It originally stood for Secure Sockets Layer (SSL) which is now part of a broader security protocol called Transport Layer Security (TLS). TLS is part of the two layers that make up HTTPS, the other being traditional HTTP. TLS works to verify that the website you’ve loaded up is actually the website you wanted to load up — that the Facebook page you see before you really is Facebook and not a site pretending to be Facebook.
On top of that, TLS encrypt all of the data you’re transmitting (like apps such as Signal or WhatsApp do). Anyone who happens across the traffic coming to or from your computer when it’s connected to an HTTPS site can’t make sense of it — they can’t read it or alter its contents.
So if someone wants to catch the username and password you just sent to Google, or wants to throw up a webpage that looks like Instagram but isn’t, or wants to jump in on your email conversations and change what’s being said, HTTPS helps to stop them.
It’s obvious why login details, credit card information, and the like is better encrypted rather than sent in plain text — it makes it much harder to steal. In 2017, if you come across a shopping or banking site, or any webpage that asks you to log in, it should have HTTPS enabled; if not, take your business elsewhere.
Look for the padlock. (Image: Screenshot)
As an added bonus, HTTPS stops ISPs and governments from snooping on your browsing activity too — they can still see that you’re visiting Amazon and Facebook or whatever, but they can’t tell what you’re searching for on those sites or which individual pages you’re opening up.
Browsers will now very clearly show you when you’re connected to HTTPS, putting the first part of the web address you’re visiting in green and displaying a padlock symbol. You can often click on this icon to see more details about the secure connection.
Many mobile apps use the same protocols to make secure, encrypted connections, but unfortunately users don’t yet have a simple way of checking up on this. Apps from the major players — like Facebook, Google, and your bank — can generally be trusted, but for apps from smaller developers you usually have to assume the right security is in place or confine your browsing to the browser.
Check the details of the app listing and contact the developer directly if you’re worried about whether your connection to the web really is secure inside a mobile app.
So if HTTPS is so great, why not use it for everything? That’s definitely a plan. There is now a big push to get HTTPS used as standard, but because it previously required extra processing power and bandwidth, it hasn’t always made sense for pages where you’re not entering or accessing any sensitive information. The latest HTTPS iterations remove most of these drawbacks, so we should see it deployed more widely in the future — although converting old, large sites can take a lot of time.
If you want to stay as secure as possible, the HTTPS Everywhere extension for Chrome and Firefox makes sure you’re always connected to the HTTPS version of a site, where one has been made available, and fixes a few security bugs in the HTTPS approach at the same time. It’s well worth installing and using, particularly on public Wi-Fi, where unwelcome eavesdroppers are more likely to be trying to listen in.
HTTPS isn’t 100 per cent unbeatable — no security measure is — but it makes it much more difficult for hackers to spy on and manipulate sensitive data as it travels between your computer and the web at large, as well as adding an extra check to verify the identity of the sites you visit. It’s a vital part of staying safe on the web.
Originally published on Gizmodo Australia.