The cybersecurity world is full of acronyms. They might seem scary, but they shouldn’t be. Especially not HTTPS as it’s the opposite of scary - it protects your online traffic from snoopers. You may not be aware of it, but there’s no doubt you use it every day. Read on to find out more about HTTPS.
What is HTTPS?
Hypertext Transfer Protocol Secure (HTTPS) is an application protocol that transfers data packets between a browser and website servers. In simple terms, HTTPS is what helps you to get Google results, load social media pages, or stream movies. HTTPS is a more secure version of HTTP, which was the primary protocol created to serve the World Wide Web.
The traffic that goes through HTTPS is encrypted. So websites that truly care about their visitors’ security (like banks, online shops, and NordPass) tend to use an HTTPS connection.
It’s easy to identify which websites are secure. Just look at the address bar. If the connection is safe, you should see “https://” and a green padlock symbol, or either of those, next to the web address. Some popular web browsers will notify you if you try to access an HTTP website, while some will show a broken red padlock or the wording “Not Secure” next to the URL.
HTTP vs HTTPS
So what’s the main difference between HTTP and HTTPS? Well, both protocols serve the same function - they make the communication between your devices (also called clients) and servers possible.
But why is HTTP important? Why does the internet (and you) need it?
- Security. Information that goes through HTTP is sent in plain text, while communication over HTTPS looks nothing more than scrambled text. Your internet service provider (ISP), governments, or anyone snooping on the traffic can’t track you. It also makes you less vulnerable to man-in-the-middle attacks. That means no one could intercept the traffic and steal your passwords when you’re logged into your bank account.
- Authentication. HTTPS websites have to acquire a so-called TLS/SSL certificate, which authenticates them as legitimate websites. This means that when you connect to an HTTPS website, you can be sure that you are connecting to the right web server. On the other hand, HTTP websites can be easily spoofed and direct you somewhere else. For example, to a website that will install a virus the moment you open it.
- Less tracking, advertising, and malicious content. HTTP websites can be altered by ISPs or malicious actors without the approval of the website owner. They can insert ads or other content that could track you or hide malware.
How does HTTPS work?
HTTPS transfers data packets between the client (i.e., your phone that is requesting the website) to a server, machine, or application. While doing that, it also encrypts your traffic using asymmetric cryptography.
To establish a secure connection, you and the server need to exchange public and private keys. In simple terms, they are a set of algorithms necessary for encryption. The public key is shared with the other party and is needed to send you encrypted messages, while the private key is used to decrypt those messages and should always stay private.
But how does this work in practice? Through an SSL/TLS handshake.
You send a “hello” request to a web server you want to communicate with.
The server says “hello” back to you. It sends you a TLS/SSL certificate alongside its public key. Now you know that the website is legitimate, and you can establish a connection.
Then you use the web server’s public key to encrypt your public key, and you send it back to them.
The server decrypts your key. You can now establish session keys that will be used for encrypted communication.
Once session keys are exchanged, your connection becomes encrypted.
Last piece of advice
Congratulations, you now know what HTTPS is, how it protects you online, and how to identify an HTTPS website. Double-checking whether you’re visiting secure sites is one of the best practices you can employ to ensure your online security. You never know: it may be the only thing standing between you and a hacker!