HTTPS is the guardian of web connections

Most URLs begin with https, where the 's' indicates a secure connection to the website you are visiting.

HTTPS stands for Hypertext Transfer Protocol Secure and it encrypts information sent over the internet, primarily between your device (PC or mobile phone) and the website server. As the cornerstone of a more secure online universe, HTTPS blocks potential interception of content being transferred across digital spaces, including your private messages, payment information, or videos of whatever you're exploring.

However, there are always ways to bypass such security measures. IT administrators monitoring network traffic in your office may be able to spy on your network activity, even through a proxy.

How to introduce HTTPS?

Traditionally, websites have not universally adopted HTTPS. The path toward establishing this protocol as common practice deserves our attention. The key factor involves the security certificates that generate HTTPS encryption for these electronic documents. By combining public keys with the additional functionality of verifying a user's identity to a website, the core of HTTPS begins to take shape.

picture

Counterintuitively, any entity can craft a certificate, however, it requires a signature from a certificate authority in order for your browser to verify its legitimacy, thereby giving users that reassuring lock icon in the corner of the address bar.

The process of obtaining a certificate requires website owners to prove that they control the domain name shown on the certificate. The absence of a certificate authority signature does not detract from the encryption process.

A self-signed certificate will provide the same functionality, however, the problem lies in the user's knowledge and trust of who is on the other end of the connection.

Could someone unintentionally be giving away their data to an attacker?

The democratization of security certificates

Because certificate authorities previously charged exorbitant prices, up to hundreds of dollars per year, to obtain their certifications, many website owners, especially those running smaller sites, opted out due to the expense of the process. However, the tide has turned. Now, getting signed by a certificate is relatively easy and free, thanks to Let's Encrypt, a nonprofit authority backed by the Electronic Frontier Foundation and a host of tech giants.

Chrome's proactive approach, which provides a stark warning when a site is not signed by a recognized authority, has certainly accelerated the adoption of HTTPS.

However, a word of caution: you won’t get a warning for sites that don’t use HTTPS, which is why it’s always recommended to scan the address bar to make sure you don’t fall into a simple HTTP trap.

Common misconceptions about HTTPS

While HTTPS is ubiquitous and plays a vital role today, several misconceptions have led some people to overestimate their browsing privacy.

A common misconception is that the HTTPS lock icon ensures a trustworthy site, which couldn't be further from the truth. Many phishing websites exist that convincingly imitate legitimate websites, and their deceptive behavior is often visible in the URL displayed in the address bar. The attackers have these URLs so that their certificates can be signed, but not the actual sites that users think they are visiting. Therefore, always pay close attention to URLs, especially if you suspect a phishing attack.

Another key thing to remember is that HTTPS does not encrypt metadata, and this includes URLs. Therefore, a network administrator, attacker, or ISP can determine which website you are visiting, or even a specific page under certain conditions. The good news is: the advent of encrypted DNS makes eavesdropping increasingly difficult.

Encrypted DNS could be the future of privacy

In layman's terms, encrypted DNS encrypts the hostname of the page being visited. Because DNS is a system that maps actual numeric IP addresses to site addresses, this development makes the decryption job more difficult for attackers.

picture

Windows users can enable encrypted DNS, which provides an additional layer of privacy protection, similar to HTTPS itself - making it even more elusive to nosy onlookers! But with awareness, caution, and collaboration, we can more effectively navigate and protect our digital journeys.