Everything You Need To Know About HTTPS
Digital security has become increasingly more popular over the past few years, with more and more people trying to ensure their privacy online. There have been a variety of ways that this has been done in recent years, with many of these focusing on encryption and each having pros and cons.
One of the most notable of these recently has been VPNs, which have become commonplace in many areas. However, there have been a variety of other security features that have become more common, with some of these being more effective than others.
HTTPS is something that many people have become increasingly aware of, although many people may be surprised to realize that this has been around for two decades. While this isn’t something that individuals themselves use, it is something that websites have taken advantage of for all of this time.
The protocol, which stands for Hyper Text Transfer Protocol Secure, offers end-to-end encryption for anybody using a website and has been one of the underlying features for internet security for the past 20 years. Throughout much of this time, HTTPS has been used by any website that looks to ensure its user’s privacy.
In recent years, however, it’s increasingly become used by websites whose security is not of a significant concern but may want to offer it to its visitors. Much of this has been driven by a larger amount of security and overall internet privacy in the past few years.
Some of this has been driven by leaks from revelations made by Edward Snowden and other whistleblowers. However, a variety of highly publicized hacks, such as those as Sony, have also played a role in stoking the fear that many website owners and users may have.
Despite this, many website owners may not know much about what HTTPS is and how it works. While this may not stop its growing implementation, it may slow it down slightly, as many people may be hesitant to adopt it.
There are a variety of things that every internet user should know, regardless of whether they own and operate a website. By doing so, they’ll be able to ensure that their online browsing is secure while offering a high-end of encryption to website visitors.
What Does HTTPS Do?
When you visit websites that don’t have HTTPS, then the information that’s sent and received is unencrypted, which means that anybody watching will be able to see what you do. This includes any details of a financial transaction, such as credit card numbers and much more.
Alongside this, it can be possible for someone to alter the information that’s sent and received without anybody noticing. All of this is overcome through the use of the HTTPS encryption protocol. Through this, what’s known as a cryptographic key exchange takes place, which then encrypts any traffic that takes place between a website and a visitor.
It should be noted that anybody who is watching your internet traffic will still be able to see which website you’re visiting. They shouldn’t, however, be able to see which specific pages you’ve visited or what data is transferred between you and a website.
This is also the case if you’re using a VPN provider, which can often see the data that’s sent and received through the software.
It should be noted that, as HTTPS offers end-to-end encryption, all of the information that’s sent between your computer, or even smartphone or other device, and a website will be encrypted. This is also the case if you’re using an unsecured Wi-Fi networks, such as public hotspots and others.
What Are SSL Certificates?
SSL is the technology that allows for a secure link to be created between a browser and a website. This link is what encrypts your connection and ensures that your information remains private. SSL technology prevents a variety of hackers and other unwanted people from intercepting and seeing this information.
These hacks can come in a variety of ways, with the most common being known as a man-in-the-middle attack. For this to occur, an undetected program is installed on the website’s server, which then detects and logs all of the information that passes through it before reaching the site.
Once this data has been collected, it’s sent to the hackers who put the program in place, who will then have complete access to it. Every website, and their visitors will want to avoid this, which is where SSL technology and HTTPS encryption come in.
Once a website has this technology in place, then they will be issued a certificate to prove this, which is then viewable for every visitor. In short, SSL is the method that ensures that HTTPS is secure and properly encrypted. This means that SSL is the underlying basis for HTTPS encryption and that the certificate proves that a website has instituted it.
When you visit a website that’s secured with SSL, the web browser will check this certificate when making the connection. This will ensure that the encryption is in place. As such, you can look at an SSL Certificate as proof that a website is secure when you visit it.
For website owners, this will be how you highlight to visitors that you have this encryption in place and that you take their online security seriously. These certificates are given to verified website owners by what’s known as a Certificate Authority.
There are over 1,200 Certificate Authorities (CAs) that are trusted to give out such certificates, with the process of getting one being somewhat complicated. This is because they will have to verify a person’s identity and that they’re the actual owners of the website that they’re looking to get certified.
Much of this is driven by the fact that there can be a variety of bad actors that may look to have false certificates issued. These can then be used to threaten the security of a certain website and their traffic, which means that the CAs put a significant amount of time and effort into avoiding it occurring.
How To Know If A Website Is Secure
There are a few ways that you’ll be able to tell if a website is secure. Sites that have an SSL Certificate will feature a locked padlock on the left-hand side of the URL bar, although this can appear on the right-hand side, depending on your browser.
You’ll be able to click on this padlock to find out more information about the website and its security, as well as who issued the certificate. There should also be an https:// before the URL instead of an http://. Many websites and browsers have been slowly phasing out the use of either, which means that neither of these may appear.
You may also want to double-check a website’s SSL Certificate, as they can be expired without many people realizing. While your connection should still be secure in either even, it’s worth double-checking if the website asks for a lot of personal information.
To do this in Chrome, you’ll need to go to the browser’s Developer Tools section. Once there, you’ll be able to navigate to Chrome’s security section, which will then display the website’s SSL Certificate.
At this section, you can click on the “View certificate” tab, which will display a large amount of information about the SSL Certificate, including the date to which it’s valid through. While this may seem like a time-consuming process, it shouldn’t be once you know what you’re looking for.
When it comes to your online security, the time that it takes to check this certificate can be beneficial. While you’re checking whether or not there is a locked padlock to ensure that the website is secure, you may also notice that there are both green and grey padlocks. These can have several differences, which are worth looking into.
What’s The Difference Between Green & Grey Padlock Icons?
Both colors of the padlock will be safe, although many people may not realize why there are two that may appear. The main difference between the two is that a green padlock shows that a particular website has presented an Extended Validation Certificate (EV).
These EVs are intended to highlight that the domain name and website belong to the people who you expect should own it. As a result, it typically means that green padlocks are perfectly secure, regardless of where you’re viewing it from.
While this is great in theory, it can become much more confusing in practice, as the validation system for it can be quite confusing. Much of this is highlighted by the different criteria that many web browsers may have before showing the green padlock. For example, Firefox and Chrome may present it for a particular website, while Microsoft Edge may give it a grey one.
When you’re browsing the web, your common sense should prevail in this regard; if there’s a padlock next to the URL, then you should rest easy knowing that the website is encrypted and secured.
There are a few other padlock icons that you may come across when you’re surfing online. These can mean a variety of different things, such as the site only being partially secured. In other cases, it could also mean that the SSL Certificate has expired.
These should be warning signs for you when you’re on the website, as they mean that the site isn’t fully encrypted, if at all, and doesn’t prevent eavesdropping or hacking. As such, you should refrain from putting your personal information into such websites.
How To Get An SSL Certificate For A Website
Many website owners may wonder how they can get an SSL certificate. While there are a few ways that this can be done, the overall process is relatively simple. The first step to take is to determine which type of certificate you need.
While there are standard ones that you can take advantage of, there are a variety of custom certificates you can choose. A standard SSL certificate will cover the majority of websites, although these may often not be enough for companies that operate within several highly regulated industries.
Should you operate within finance or insurance, for example, then you may need to purchase a custom SSL certificate. As such, you’ll need to determine what your industry requirement are to determine what you’ll need with the encryption.
You’ll be able to buy an SSL certificate from the majority of domain providers, with these typically ranging in price from $50 upward. This price is usually for one domain, which means that you’ll have to pay several hundred for several domains. You may also be able to receive free ones from certain providers, although these can often be much more hassle than they’re worth.
Much of this is because they’ll need to be renewed every one to three months, which could mean that you’ll have to put a significant amount of time into it. This has led to many people recommending that you choose to purchase a certificate that lasts longer.
While many of these last between one and two years, you should aim to get one that lasts as long as possible.
How Does HTTPS Work?
Typical HTTP, or Hypertext Transfer Protocol, has been the standard way of connecting websites and devices and has always been unsecured. This is the process of allowing web pages to communicate with each other through the use of hyperlinks.
HTTPS, on the other hand, is secured with encryption software such as TLS. There are also a variety of algorithms used, with the majority of these being determined by the webserver. Much of this is done through what’s known as X.509 Public Key Infrastructure (PKI).
This is an asymmetric key encryption system that provides several ways to avoid and overcome many potential cyberattacks. The most notable of these is through the connection of a web server’s key, which is typically public, and a browser’s key, which is private.
The owners of a website’s key are certified by the Certificate Authority we mentioned above, who act as what’s known as a trusted third party (TTP) in cryptographic terms. The X.509 Public Key Infrastructure will also attach a website’s public cryptographic key to the details or the organization that owns it, which adds a further layer of security and transparency.
While there are a significant number of recognized CAs, web browsers can check that an SSL certificate’s, or HTTPS certificate’s, details match those that they have on file. As a result of this, a browser will be able to tell whether certain certificates are genuine.
If the browser believes that they’re not, then the visitor will be prompted with a security warning that highlights this fact. Alongside this, the owner of the site should also be notified as to why their certificates may be appearing as false. By doing so, domain owners will be able to rectify the situation quickly.
HTTPS Everywhere
If you’re looking to browse a website securely, but it doesn’t offer HTTPS as standard, then there are a few ways that you can work around this. One way that has been popular for a certain amount of time has been by placing the https:// before the website, although this may sometimes not offer as much security as you may like.
One way that has become increasingly popular over the past few years has been HTTPS Everywhere, which is an open-source browser extension that was developed for free use by the Electronic Frontier Foundation.
When used, the extension uses what the foundation calls clever technology to rewrite typical connection requests into ones that are encrypted with HTTPS. This is only done if the connection is possible, regardless of whether it’s done on the website by default.
It should be noted that if it’s not possible to do so, then a user will visit the site with an unsecured connection. Many people have strongly recommended that website users install this, as it can offer much more security while surfing online.
Problems With HTTPS
While there are a variety of benefits with HTTPS, there can also be several problems, with the most notable of these being fake SSL Certificates. There are over 1,200 Certificate Authorities that provide these certificates, which will be accepted and verified by any web browser.
These are only given to verified web owners, although this system often relies on a significant amount of trust being placed in everyone involved. While the overwhelming majority of these CAs are trustworthy, it only takes one bad apple to spoil the bunch.
This means that bad actors may be able to lean on some CAs to have fake SSL Certificates being issued. Once this has been given, it can lead to problems for web security, which can then undo much of the trustworthiness that was initially built up.
If a compromised website has a fake SSL Certificate, then a browser will believe that it’s secure, even though this isn’t the case. This opens up many of the website’s users to a significant amount of damage, as their connection will be far from secure.
This isn’t purely theoretical, either, as it has happened on several occasions. While a web browser can overcome some of this with a complete overhaul of the browser itself, the potential solutions to this problem may not be enough.
Outside of this, there have been a variety of ways that agencies have tried to tackle the issue, although none are generally recognized as an industry standard. One of the larger attempts to do so was started by the Electronic Frontier Foundation (EFF), which began the SSL Observatory.
This was an attempt for the organizations to examine all of the SSL Certificates on the internet, with members of the public being invited to send them in to be analyzed. However, the project didn’t seem to take off and has been virtually unused for the past several years.
Public key pinning has been another way that many web browsers have tried to tackle the issue, with this gaining a significant amount of traction in recent years. With this process, a web browser will associate – or pin – a host with their expected HTTPS certificate or public key.
Should the web browser receive a certificate or key that it doesn’t expect, then it will refuse to make the connection for a user. They will also issue a warning to the website host about why this was the case; many may also highlight how you can overcome this issue.
Some studies have also shown that traffic analysis can also pose a threat to users, even when HTTPS is in use. Potential hackers can identify specific web pages visited by a target with up to 89% accuracy. While this is a worrying development, researchers have noted that this would need to be a targeted approach to a specific victim.
Despite these problems, HTTPS is one of the more effective ways of maintaining a strong sense of security while using the internet. If it weren’t, then it wouldn’t have a role in billions of transactions worldwide daily, with these including financial transactions and those that include a significant amount of personal data.
The good news is that the encryption protocol is becoming a standard across the internet, which has meant that the majority of websites now use it. This offers a significant amount of security for everyone who uses the internet. There are still things that you’ll need to keep in mind while browsing, however.
The most important of these is to ensure that you look for a closed padlock icon, especially when transferring any information that requires a significant amount of security. When you’re using an insecure internet connection, such as those offered by public Wi-Fi, among others, this is something that you should always look for.
Should you happen to be worried about a specific website, then you’ll be able to check their SSL Certificate to match this against who you would expect to own the website in question. This shouldn’t take too long, it’s worth doing to ensure that you can maintain your online security.