Understanding HTTPS

With the blogs in this series I want to reach not only my typical audience, security professionals, but especially less security aware people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!

What is HTTP

To understand HTTPS you must understand HTTP first. Communication on the Internet happens between a client and a server. The clients we typically use are the browsers on our PC, tablets or smart phones and the apps on our mobile devices. The servers are the machines somewhere on the internet hosting the websites we visit or the resources that are consumed by mobile apps.

Clients and servers communicate with each other via requests and responses. The client sends a HTTP request to the server. This request is processed by the server and the server returns a HTTP response to the client.

The security risks of HTTP

HTTP requests travel between the client and the server in readable format. This means that both the requests from the client and the responses from the server are readable to anyone that can intercept the communication.

Not only readable though, they can be manipulated as well. But how big is the real risk that someone can intercept this traffic? Well do watch this video. You'll understand why connecting to the free wifi in an hotel or at the airport is risky business.

As we saw in the video the hacker was able to read and steal confidential data that users provided to particular websites over HTTP.

What HTTPS provides

HTTPS is the secure variant of HTTP. The requests you send over HTTPS are still using the HTTP protocol but they are also secured via the TLS protocol. TLS stands for Transport Layer Security. When it's properly configured on the servers hosting the website it provides a secure communication channel between the client and the server. The data gets encrypted (=made unreadable) at the browser and stays encrypted until it reaches the web server where it gets decrypted (=made readable again).

This encrypted connection ensures that no one can intercept, read or modify the information that's exchanged between the client (i.e. browser on your PC) and the server hosting the website.

I'm pretty bad in analogies, but look at it as if you're having a confidential conversation with your doctor in their office.

What HTTPS doesn't provide

Before you entered the doctor's office, you were sitting in the waiting room together with a woman. When it was your turn to enter you saw the person who left. So even if everything said in the consultation with your doctor is private and confidential, the fact that you visited the doctor isn't.

With HTTPS this is no different. HTTPS only encrypts the connection between the browser and the website. It doesn't hide which website your are visiting. As we will see in an upcoming blog, this can be a serious privacy issue.

Another common misconception is that websites over HTTPS are secure. This is not true. The only thing that HTTPS implies is that the connection with a site is secure. Even on HTTPS websites, there can be all sorts of security risks on the client or on the web server, resulting for instance in data being hacked out of the database or malware being injected in the website.

HTTPS doesn’t say anything about the legitimacy or intentions of a website either. The purpose of a phishing site, stealing  your personal data, is the same whether it’s served over HTTP or HTTPS. Or like Scott Hanselman states...

How do you know if a website implements HTTPS?

In firefox you'll notice there's a padlock in front of the url.

If a site doesn't implement HTTPS or has a broken HTTPS implementation you will see no padlock in Firefox. When you click on the info icon you'll see that the connection is not secure.

In Chrome it's very similar. If you see a black padlock in front of the url it means that the connection to that site is properly secured.

Chrome is more clear by showing "Not secure" when a site doesn't implement HTTPS.

Unfortunately for mobile apps you can't discover easily if they're using HTTPS.

Conclusion

In this post I told you what security and privacy HTTPS offers and what not. I hope it's clear that you should only enter your personal data on a website that implements HTTPS and that you should stay vigilant. HTTPS doesn't mean that the website is secure. It only provides a secure connection to it. In an upcoming post I'll give more tips on how to improve your privacy and security on HTTP and HTTPS sites. In the mean time stay safe online!

                                                                                               

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life