HTTPS
What is HTTPS?
HTTPS (HyperText Transfer Protocol, Secure) is a secure version of HTTP, the standardized method by which Web browsers and Web servers talk to each other over a network. HTTPS generally protects data in transit between a server (where a website or app “lives”) and the client (the phone or computer) you’re browsing from. Some browsers now automatically upgrade sites to HTTPS, or will warn you if HTTPS isn’t available; sites where HTTPS is not available should be visited with caution.
How can I tell if I’m using HTTPS?
Look in your browser’s address bar. If the URL in the address bar starts with “https://”, that means you’re using HTTPS.
Browsers will try to use HTTPS if a website supports it, which most do. In fact, many sites now use HTTPS exclusively. Search engines will rank sites that don’t support HTTPS lower than those that do. The general trend on the Web is towards using HTTPS universally.
How does HTTPS protect my privacy?
HTTPS has two main functions:
- First, HTTPS encrypts the content of your Web browsing so that only you and the Web server (the specialized computer where a website “lives”) can read it. That prevents anyone who’s snooping on your traffic—such as the owner of the Wi-Fi network you’re connected to—from seeing the content of your Web browsing. They would still know which sites you’re browsing, but not what you’re doing there. For example, they might see that you’re using Facebook, but they wouldn’t be able to see what you’re posting or which profiles you’re looking at.
- Second, HTTPS verifies that the webpage content you’re looking at actually came from the Web server indicated by the address in your browser’s address bar (as opposed to someone who’s intercepting your traffic and inserting their own content). Whenever you visit a page, the Web server will present cryptographic proof of its identity called a “certificate,” and your browser then verifies this proof.
By contrast, when you visit a non-HTTPS site (in other words, an HTTP site), both of the above protections are absent. It’s best to avoid entering any personal information on non-HTTPS sites, and more generally to try to avoid HTTP sites where possible.
Can I still be tracked on HTTPS sites?
HTTPS doesn’t solve all Web privacy problems. Even if you visit a website over HTTPS, the site may be tracking you. The site’s owners may be mishandling your personal data, such as by storing it insecurely or even selling it to other companies. HTTPS can’t prevent any of that.
Also, certificates don’t protect against phishing sites with addresses that are very similar to—but slightly different from—popular website addresses. These addresses “squat” at URLs based on a common typo, such as “googel.com” instead of “google.com” (although in this case Google owns both of those addresses). A typo-squatting phishing site may have a valid certificate, but the certificate doesn’t prove that you’re actually visiting the “real” website you intended to.
What are SSL and TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are standardized methods for Web browsers and Web servers to perform encryption and identity verification when using HTTPS. SSL is older, and was superseded by TLS.
What do certificate warnings mean?
Your browser may sometimes show warnings about invalid certificates. Depending on the specific warning, this could mean that the site’s administrators have misconfigured something, or that your connection is being intercepted.
- If a certificate is expired, that’s likely to be a mistake on the website’s part.
- If the address on a certificate doesn’t match the address in the browser’s address bar, that could still be a mistake, but it’s significantly more likely to indicate an intercepted connection.
Whatever the warning is, it’s important to consider the source. If you see a certificate warning when you go to Google, it’s virtually certain that your connection is being intercepted: a sophisticated tech company like Google would not misconfigure their certificates. If you see a warning when you go to your local restaurant’s site, that’s probably just a mistake.
Browsers will give you the option to proceed after you see a certificate warning, but it’s best practice to not do so. Even if you avoid downloading files or entering personal information (like a username or password), the site may still be dangerous.