Cyber Security – HTTP VS HTTPS
For the next topic in my cyber security series, I’d like to touch on how to recognize secure websites. Before you put any of your personal information into any website, you should make sure the site is secure. The first thing you’ll look for is whether the site is using ‘http’ or ‘https’.
HTTP stands for HyperText Transfer Protocol. This is the communications protocol used to connect to Web servers on the Internet. It can also be used for connections to local servers on an Intranet. HTTP is what allows you to establish a connection with a server and retrieve HTML pages back to your browser (Chrome, Internet Explorer, Firefox, etc.).
HTTPS stands for HyperText Transfer Protocol Secure. HTTPS does the same thing as HTTP but it also adds a layer of security. The security is applied to the data being transmitted (from the Web server to your browser, or from your browser to the Web server).
With HTTP, every packet of data transmitted between the Web server and the end user is in ‘plain-text’ format. This means if a hacker were to intercept the transmission they could readily read the data being transmitted. If you’re on a check-out page of a website and it’s using HTTP, your personal information (such as name, address, phone number, and credit card number) is being transmitted in this ‘plain-text’ format. That’s not a good thing.
Using either SSL (Secure Socket Layer) or TLS (Transport Layer Security) methods, HTTPS will encrypt every packet of data being transferred between the Web server and the end user. What this means is even if your connection from your computer to the Web server were to be compromised, the data is not going to be in a “readable” to the attacker.
Think of it this way. You live in Pennsylvania and you have a friend in California. You want to send this friend a letter to tell them a secret, but you’re concerned that someone may intercept it. If your letter was intercepted by a fiendish-type person, they could read your letter and learn of your secret.
To prevent this, you and your friend both acquire secret decoder rings so you can communicate using an encryption code. When you write your letter, you replace every character in the letter with a different one according to the ring’s code. For example, the word “hello” may be shown as “ifmmp”. This is a simple encryption that shifts every letter in a word to the next letter in the alphabet.
Having completed your letter you drop it into a mailbox. When your friend receives the letter, they use their decoder ring to transfer every character back to the intended character (“ifmmp” is translated back to “hello”). Your friend is now able to read the letter and they are elated to learn that you’ve won the lottery and will be sharing some of the winnings with them.
Had someone broken into your friend’s mailbox and taken the encrypted letter, they would not have been able to read the message. Without the secret decoder ring, they would have just seen words like “ifmmp” which would mean nothing to them.
This is a very simplistic example of what HTTPS is doing with data moving between the Web server and the end user. In reality, instead of a secret decoder ring, the encryption methods are based on very complex and algorithms.
Now that you know why HTTPS is important, especially on websites (or pages) where you want to transact business or provide personal information, let’s take a look at how to recognize whether HTTPS is being used.
Here’s where it gets a little tricky.
There are a number of web browsers to choose from when you surf the Web – Chrome, Internet Explorer, Firefox, Safari, Microsoft Edge, and Opera just to name a few. Each browser, and each version of the browser may identify secure websites a bit differently. However, every browser and every version should give you some visual indication that you are on a secure site.
Above are three examples (top to bottom: Chrome-67, Internet Explorer-11, and Firefox-61) of browsers and how they when visiting a secure site:
- Chrome: This version does not show you the “https” in the URL, but it does have a small lock icon and displays the word secure
- Internet Explorer: This version displays the “https” in the URL as well as a lock icon
- Firefox: This version displays the “https” in the URL as well as a lock icon
In all three of these examples, clicking on lock icon will provide you with additional information.
As you can see, each of these browsers has identified https://google.com as a secure website that uses encryption.
Whichever browser or version of browser you are using, be sure you know how to identify that HTTPS is being used and never put your personal information into a site that does not use it.