Can we rely on HTTPS to keep us safe?

HTTPS is the guardian of web connections

Most URLs begin with https, where the 's' indicates a secure connection to the website you are visiting.

HTTPS stands for Hypertext Transfer Protocol Secure, and it encrypts information sent over the internet, primarily between your device (PC or phone) and a website's server. As the cornerstone of a more secure online universe, HTTPS prevents potential interception of content being transferred across digital spaces, including your private messages, payment information, or whatever video you're exploring.

However, there are always ways to get around such security measures. An IT administrator monitoring network traffic at your office could potentially snoop on your web activity, even through a proxy.

How to introduce HTTPS?

Traditionally, websites have not universally adopted HTTPS. The path to establishing this protocol as common practice is worth watching. The key factor involves security certificates, the electronic documents that produce HTTPS encryption. By combining public keys with additional functionality to verify the identity of the user's website, the core of HTTPS begins to take shape.

picture

Counterintuitively, any entity can produce a certificate, however, it needs to be signed by a certificate authority in order for your browser to verify its legitimacy, thus providing users with that reassuring lock icon in the corner of the address bar.

The process of obtaining a certificate requires the website owner to prove that they control the domain name shown on the certificate. The absence of a signature from a certificate authority does not devalue the encryption process.

A self-signed certificate will provide the same functionality, however, the issue is the user's knowledge and trust in who is on the other end of the connection.

Could someone be accidentally giving away their data to an attacker?

Democratizing security credentials

Since certificate authorities used to charge high prices, up to hundreds of dollars per year, to obtain their certification, many website owners, especially those operating smaller sites, opted out due to the expensiveness of the process. However, the tide has turned. Now, getting a certificate signed is relatively simple and free, thanks to Let's Encrypt, a non-profit authority backed by the Electronic Frontier Foundation and a host of tech giants.

Chrome's proactive approach of providing bright warnings when a site is not signed by a recognized authority has certainly accelerated the adoption of HTTPS.

However, a word of caution: you won’t get a warning for sites that don’t use HTTPS, which is why it’s always recommended to scan the address bar to make sure you don’t fall into a simple HTTP trap.

Common Misconceptions About HTTPS

While HTTPS is ubiquitous today and plays a vital role, several misconceptions lead some people to overestimate their browsing privacy.

A common misconception is that the HTTPS lock icon ensures a trustworthy site, which couldn't be further from the truth. Many phishing sites exist that convincingly mimic legitimate sites, and their deception is often visible in the URL displayed in the address bar. The attackers own these URLs, which enables their certificates to be signed, but are not the actual sites that users think they are visiting. Therefore, always pay close attention to the URL, especially if you suspect a phishing attack.

Another key thing to remember is that HTTPS does not encrypt metadata, and this includes the URL. Therefore, a network administrator, attacker, or ISP can determine which website you are visiting, or even a specific page under certain conditions. The good news is: the advent of encrypted DNS is making eavesdropping increasingly difficult.

Encrypted DNS could be the future of privacy

In layman's terms, encrypted DNS scrambles the hostname of the page being visited. Because DNS is the system that maps actual numeric IP addresses to site addresses, this development makes it much harder for attackers to decrypt them.

picture

Windows users can enable encrypted DNS, which provides an extra layer of privacy that acts similarly to HTTPS itself—making it even more elusive to nosy onlookers! However, with awareness, caution, and collaboration, we can more effectively navigate and protect our digital journeys.