ITit

HTTPS Encryption: All You Need to Know

IT

HTTPS is a secure way to surf the internet without compromising your private information. We all share confidential information across the internet every day, and this puts all of us at risk for data compromise.  And with increasing numbers of potential risks to our data, people are turning to more secure methods to surf the Internet.

HTTPS encrypts the data between your web browser and a server. This makes the connection secure and prevents the unauthorized collection and use by third parties. Let’s find out what makes HTTPS a more secure option for online browsing and how to check for security on web pages that you visit.

 

Secure Network
Photo by Dan Nelson via Pexels

 

The Basics of HTTP

If you are using a wireless network, other devices on the network can overhear your data packets and see what you are doing. With the right hardware and software, hackers can easily get into your network and listen in on your activities.

There is even more risk involved in a wired internet connection. Hackers can directly wiretap your connection just like a telephone line. Such is the case with the original hypertext transfer protocol (HTTP). Developers realized this weakness in the existing protocol and made adjustments to it. The resulting modification is a secured hypertext transfer protocol (HTTPS) and is now widely used across the web.

HTTPS and HTTP follow the same basic protocols, with the exception that HTTPS has additional security features. These security features are in the form of an SSL/TLS protocol. SSL and TLS stand for Secure Sockets Layer and Transport Layer Security, respectively. These security protocols act like a sealed envelope for your data while on transit. This helps to prevent the unauthorized collection and use by cybercriminals. Another name for SSL protocol is TLS, and these terms can be used interchangeably.

 

What Is HTTPS Encryption?

Brass Lock
Photo by Markus Winkler via Unsplash

 

HTTP is one of many network protocols that allows a computer user to connect with a website. The protocol is widely considered as the standard request-response protocol. It’s used for sending and receiving messages between a server and a website. If this concept is a little bit confusing, let’s go back to the concept of protocols.

A protocol is the official procedure or system of rules that govern interactions. Applying the concept to this situation, an HTTP sets the official procedures or system of rules governing the transaction between web servers and computers. HTTP clients generally use transmission control protocol (TCP) connections. This in order to establish communication with external servers.

HTTPS works in very much the same way as HTTP. The only notable exception is that the protocol is the secure version of HTTP. It features an added layer of the SSL/TLS. These are cryptographic protocols that encrypt data while on transit on the network. All communications between your web browser and server are encrypted to prevent cybercriminals from getting a hold of your data while on transit.

 

How Does HTTPS Work?

Encrypted Computer
Photo by Ewan Kennedy via Unsplash

 

HTTPS encryption can be quite a complicated process. But it would be easier to understand using an analogy. Let’s say you have locked some confidential information in a box using a symmetric key. You then proceed to send this box, along with the key, to the server. But anyone who might be listening in on the transaction could simply take the box and open it with the key that you sent. To solve this, the server you are trying to communicate with sends a special box. This box has been locked with a public key and the public key is included in the box.
 
The box can then be opened by a separate set of keys called a private key, which is held by the server. The server sends you the special box along with the public key but keeps the private key to themselves. As you can see from this transaction, the SSL connection uses three sets of keys to establish the connection. That includes the public, private, and symmetric keys. Anything that you decrypt with the public key can only be decrypted using the private key, and vice versa. You can put your original box and symmetric key inside the special box provided.
 
Afterward, you can lock a special box using the public keys that came with it, and then return the box to the server. The server will open the box using the private keys that it kept. Once both parties have copies of the symmetric key, they can share information. But if your browser was to connect to the same server the next day, a new session key would be created. This process helps to keep up the speed of data exchange without compromising safety.
 

When Should You Use an HTTPS Website?

Computer Applications
Photo by mohamed_hassan via Pixabay

 

HTTP and HTTPS are both protocols for passing information between web servers and clients. But the point we need to hone in on is that HTTPS is a secure connection, while HTTP is insecure. HTTP is the outdated version of HTTPS that made it easy for hackers to steal information online. HTTPS was intended primarily for websites that required the input of personal information. But nowadays, plenty of websites use HTTPS. This is regardless of whether they ask for your personal information or not.
 
Back in 2018, Google made changes to its security policy and started to require all websites under their domain to have HTTPS encryption. The policy espoused Google to flag websites without HTTPS as non-secure on Google Chrome, which is the domain provider’s native web browser. Websites that fail to upgrade to HTTPS will also be penalized with low ratings on Google search. But then again, Google Chrome flagging HTTP sites as insecure is just one of the changes soon to come. More changes are expected to be put in place. These are intended to protect the privacy and security of sensitive information.
 
The majority of websites that we visit online have encryption features. But a small number still retains the HTTP communication protocol. Users are also highly encouraged to turn to HTTPS encrypted applications for sharing confidential information or personally identifiable information (PII). This may include anything from your name, address, social security number, bank account number, and more. Make sure that the channels you use are end-to-end encrypted. This is to prevent yourself from becoming a victim of identity theft and fraud.

 

Who Uses HTTPS Encryption?

Website Labels
Photo by janbaby via Pixabay

 

Most companies that deal with personal information, such as banks, credit card companies, and e-commerce websites, secure their sites with SSL certificates and HTTPS encryption. These websites are mandated by law to provide additional security for their customers who provide sensitive personal information through their websites.

Other websites that don’t require your personal information have also started to use HTTPS to keep your private information away from companies trying to direct customized ads your way. There are also those who seek to get third-party information from the websites that you visit. Web browsers that are well-known for using HTTPS encryption in their dealings include Mozilla Firefox, Google Chrome, Surf Shark, and Comodo Dragon.

Anyone who wants to practice good online safety practices must also go for HTTPS sites since these are more secure than the standard. The two-way encryption protocols help to protect you against malware and other potentially harmful entities online. Always check for HTTPS encryption the moment you open a website. You will also need to look for a green padlock icon either on the right side of the address bar or on the bottom right corner of the page.  These indicators tell you that the site you are visiting is legitimate and safe from malware.

For additional protection, we highly recommend that you install a premium antivirus program with advanced features. The antivirus will detect and eliminate malware that could compromise your data.

You could also benefit from a VPN, which creates an encrypted tunnel to help between the client and the server. This acts as an added layer of protection for areas not covered by your encrypted web browser. Check out this guide on how to install a VPN.

 

What Is an SSL Certificate?

SSL Certificate
Photo by ekrulila via Pexels

 

When presented with HTTP and HTTPS websites, it’s only natural to wonder what the difference is between the two. Well, an SSL certificate is the first and most crucial difference. HTTPS websites have it, while HTTP websites don’t.

SSL certificates are small files that cryptographically establishes an encrypted link between a web server and a browser. Encryption seals data just as you would place documents inside an envelope to keep it safe during transit. Ideally, all the data passes through should remain private for both channels. Encryption protects your data from man-in-the-middle attacks. This is the term used for any attacks launched while your data is in transit.

Besides being able to encrypt your data while on transit, SSL certificates also serve as the primary means for authenticating a web page or server. It helps to assure the user that the website is safe and secure and that they are communicating with the intended web page. SSL certificates play an important role in building trust between a web browser and a server. Third-party certification authorities (CA) normally issue these certificates upon checking safety compliance with industry standards. By providing a tunnel for secure communications, SSL encryption is an ideal component in confidential information exchanges and electronic financial transactions.

Having encrypted networks can give most people the confidence to share personal information through encrypted chat, email, and instant messaging platforms. It can also give you a sense of confidence to go cashless with your financial transactions. You can learn how to use Apple Pay for secure cashless payments online.

 

How Does SSL Work?

Online Certificate
Photo by Stephen Philipps via Unsplash

 

SSL certificates are generated using public key infrastructure (PKI) or public-key cryptography. This method involves two distinct cryptographic keys, both the public and private keys. The public key is used to encrypt the data to be sent over the network while the private key is to be kept for decryption. The key is automatically shared with clients trying to access the website, and it usually comes with the SSL certificate.  The public key automatically deploys each time we open a website, and we don’t even notice it.

These keys are stored in the digital certificate. You can also see the public key of a website by viewing the SSL certificate details in your browser. The pair of keys are always different, but their pairing is unique. What we mean is that only the private key can decrypt the data that has been encrypted using the public key and vice versa. Once the client verifies that the public key matches the private key, a secure connection is established. A message encrypted by the public key can be decrypted using the private key, and vice versa. We call this interchangeable function of private and public keys “asymmetric encryption.”

Meanwhile, the process of establishing a secure connection is commonly referred to as an SSL handshake. This is not like the old-fashioned handshake that we know of, and it involves three basic steps. The process starts off with the client saying “hello” to the server, after which the server responds by sending its SSL certificate with private keys. The client then verifies the authenticity of the server, after which both parties share their keys. A master key is generated in the process, and this can be used to encrypt and decrypt information between the server and the client.

 

How Are SSL Certificates Signed?

Real Certificate
Photo by Lewis Keegan via Unsplash

 

For an HTTPS on a web page, the first thing you will need is an SSL certificate. This certificate is presentable proof of an encrypted connection between a browser and a server or website. To explain how SSL certification happens, let’s take the YouTube website certification as an example. For those who didn’t know, Google bought YouTube way back in 2006. All Google-affiliated websites should pass through the Google certificate authority officially commissioned for this purpose.

Let’s presume that YouTube is the requesting party, while Google shall be the certificate authority (CA). Any organization that wants to encrypt a website with HTTPS will first have to ask for a certificate signing request forwarded to a public key infrastructure registration authority, which in this case is Google CA. The web server of YouTube would have to make this request using the server’s key pair and basically request Google CA to sign the request. After Google has received the request, they will sign it with their own private key. Anyone who has the public key can verify that Google was the one who signed the request.

Most browsers already have built-in lists of trusted certificates issued by known certificate authorities. Offerings from different SSL providers are mostly similar to one another, but they can differ slightly in terms of package contents and features. Most certificate authorities offer certificates with a validity period of anywhere between a year to five years, although the legally allowed maximum period for certification is only 825 days or two years and three months.

The certificate authorities follow the same strict industry protocols for checking your website security before they can issue an SSL certificate. Some also allow for concurrent applications from a single entity pertaining to numerous certificates across multiple domains.

 

Are SSL Certifications Completely Safe?

Secured Connection
Photo by Dan Nelson via Unsplash

 

SSL certifications are generally secure, but even these can be compromised. Look at what happened with Dutch certificate authority DigiNotar back in 2011. Hackers infiltrated the company’s database and issued valid SSL certificates for a series of prominent domains. The hackers took advantage of these certificates to secretly hack into the communications of Iranian citizens. Authorities discovered the anomaly and major browser manufacturers Mozilla, Microsoft and Google removed the DigiNotar root certificate from the list of trusted roots.

The incident also had far-reaching consequences for other websites, and they mistrusted the certificates previously issued by DigiNotar. Other web browsers rejected the digital certificates issued before the incident, prompting the websites to get new certifications. The company filed for bankruptcy soon after.

If this incident proves anything, it is that hackers will go to great lengths to achieve their own ends. And that even certification bodies are not exempt from the destructive power of cybercrime. A number of reports have surfaced over the years about SSL certifications created by disreputable websites. Other reports have indicated that even the NSA can create SSL certificates as part of their entrapment operations. As such, it’s clearly becoming much harder for the public to distinguish between legitimate and fake websites altogether.

 

Final Thoughts on HTTPS Encryption

Computer Code
Photo by Markus Spiske via Unsplash

 

Encryption and data protection might appear to us as modern concepts. But in reality, these concepts have existed for thousands of years.  In fact, many of the basic methods of cryptography emerged from ancient Greece. One such example is called the Caesar cipher, named after the historical figure Julius Caesar. Caesar reportedly used encryption to protect his private correspondence. This works by substituting each letter in a text with another from the alphabet.

Luckily for our generation, we already have advanced computers to encrypt data much faster and in a more complicated manner. History teaches us that people determined to violate the rules of privacy will always find a way to do so. HTTPS communication protocols are so far doing a great job of protecting people’s privacy and their data out of the hands of cybercriminals who could otherwise make their lives miserable with corrupted, deleted, or ransomed data.

HTTPS communication protocols are one of the most significant evolutions in cybersecurity practices that tech giants have come up with. But there are many more cybersecurity practices that you can apply in daily life. Find out more about other cybersecurity practices that you can follow to keep yourself and your family safe online. We’re very lucky to have this technology protecting our data.

And speaking of advancements in technology, also check out this list of the best artificial intelligence (AI) trends shaping 2020.

Leave a Reply

Your email address will not be published. Required fields are marked *