HTTPS Is a Good Thing, Really!
HTTPS
You probably know by now that HTTPS is the way to go, but maybe you don't really know why. I will take a brief moment to show you why HTTPS is better than HTTP.
Let me show you what HTTP traffic looks like:
You can clearly see the username and password of the person attempting to log into this undisclosed website. Anyone with a will and Wireshark could intercept HTTP traffic, and capture sensitive information transmitted in the packet.
What's so great about HTTPS?
HTTPS prevents intruders from manipulating or seeing communications between you, the user, and a website. All sorts of bad things can happen when not using HTTPS, such as sending you to a website that you did not expect, forcing you to execute scripts from your browser, and many others.
In short, HTTPS prevents intruders from passively listening to web traffic between you and external websites. Think of HTTP as a landline telephone. A bad guy could just pick up the receiver in another room, and passively listen to your phone conversation. Maybe you are just ordering pizza, or maybe you are discussing test results from your doctor. Either way, you wouldn't want an eavesdropper listening in.
For more information about HTTPS, and why it matters, see the following link from the following Chrome Developers forum:
Why HTTPS Matters
How do we prove authenticity?
With Certificates. In particular, we require SSL certificates to be validated and configured correctly for a website through a Certificate Authority (or CA for short). There are three types of SSL Certificates - Domain Validated, Organization Validated, and Extended Validation. We will discuss the differences in a later post.
According to Wikipedia, you should only trust an HTTPS connection if the following is true:
You probably know by now that HTTPS is the way to go, but maybe you don't really know why. I will take a brief moment to show you why HTTPS is better than HTTP.
Let me show you what HTTP traffic looks like:
You can clearly see the username and password of the person attempting to log into this undisclosed website. Anyone with a will and Wireshark could intercept HTTP traffic, and capture sensitive information transmitted in the packet.
What's so great about HTTPS?
HTTPS prevents intruders from manipulating or seeing communications between you, the user, and a website. All sorts of bad things can happen when not using HTTPS, such as sending you to a website that you did not expect, forcing you to execute scripts from your browser, and many others.
In short, HTTPS prevents intruders from passively listening to web traffic between you and external websites. Think of HTTP as a landline telephone. A bad guy could just pick up the receiver in another room, and passively listen to your phone conversation. Maybe you are just ordering pizza, or maybe you are discussing test results from your doctor. Either way, you wouldn't want an eavesdropper listening in.
For more information about HTTPS, and why it matters, see the following link from the following Chrome Developers forum:
Why HTTPS Matters
How do we prove authenticity?
With Certificates. In particular, we require SSL certificates to be validated and configured correctly for a website through a Certificate Authority (or CA for short). There are three types of SSL Certificates - Domain Validated, Organization Validated, and Extended Validation. We will discuss the differences in a later post.
According to Wikipedia, you should only trust an HTTPS connection if the following is true:
- The user trusts that the browser software correctly implements HTTPS with correctly pre-installed certificate authorities.
- The user trusts the certificate authority to vouch only for legitimate websites.
- The website provides a valid certificate, which means it was signed by a trusted authority.
- The certificate correctly identifies the website (e.g., when the browser visits "www.example.com", the received certificate is properly for "example.com" and not some other entity).
- The user trusts that the protocol's encryption layer (SSL/TLS) is sufficiently secure against eavesdroppers.
Source: HTTPS
An easy way to tell if a website is using HTTPS is to check for the lock in the browser beside the URL. Here is what the Wikipedia page I mentioned below looks like when you click on the padlock icon beside the URL:
There are a few things to look at here.
1. The url has the 'https' protocol prefix in the URL instead of 'http'.
2. My browser recognizes that the 'Connection is secure'.
3. The Certificate is listed as 'Valid'.
Good news! Wikipedia uses HTTPS!
If you would like to know more about how the browser alerts us to HTTP versus HTTPS, watch this video from the 2016 Chrome Dev Summit. It's informative and approachable, and although a few years old, will give you a great synopsis on why HTTPS is the right way to go.
HTTPS in Google Chrome
If you would like to know more about how the browser alerts us to HTTP versus HTTPS, watch this video from the 2016 Chrome Dev Summit. It's informative and approachable, and although a few years old, will give you a great synopsis on why HTTPS is the right way to go.
HTTPS in Google Chrome
Comments
Post a Comment