HTTPS, the lock icon in the address bar, an encrypted website connection — it’s known as many things. Knowing what it means is important, as it has serious implications banking online, shopping, and avoiding phishing.
When you connect to most websites, your web browser uses the standard HTTP protocol. HTTPS is the secure, encrypted counterpart to HTTP — it literally stands for “HTTP Secure,” which is “Hypertext Transfer Protocol Secure.”
The Problem With HTTP
When you connect to a website with HTTP, your browser looks up the IP address that corresponds to the website, connects to that IP address, and assumes it’s connected to the correct web server. Data is sent over the connection in clear text, so an eavesdropper on a Wi-Fi network, your Internet service provider, or state intelligent agencies like the NSA can see the web pages you’re visiting and the data you’re transferring back and forth. An eavesdropper could see any passwords, credit cards, or other data if it were sent over HTTP.
There are big problems with this. For one thing, there’s no way to authenticate that you’re connected to the correct website. Maybe you think you accessed your bank’s website, but you’re on a compromised network and you were redirected to an impostor website. You want passwords and credit card numbers to be encrypted and secured so no one can eavesdrop on them and steal your personal data. There’s also the risk of people eavesdropping on the websites you visit and searches you make.
In short, HTTP has problems because HTTP connections are never encrypted. HTTPS adds encryption in an attempt to fix these problems.
How HTTPS Solves This Problem
HTTPS isn’t perfect, but it’s certainly much more secure than HTTP. When you connect to an HTTPS secured server — secure sites like your bank’s will automatically redirect you to HTTPS when you attempt to log in — your web browser checks the website’s security certificate and verifies it was issued by a legitimate certificate authority. This helps you ensure that, if you see “https://bank.com” in your web browser’s address bar, you’re actually connected to your bank’s real website — the certificate issuing authority vouches for them. Unfortunately, certificate authorities sometimes issue bad certificates and the system breaks down. Although it isn’t perfect, the presence of HTTPS is still helpful.
When it comes time to log in or send other personal data like a credit card number and payment details, this data should be sent over an encrypted connection with HTTPS. This prevents other people from eavesdropping on your sensitive data.
HTTPS also provides additional privacy. For example, Google’s search engine now defaults to HTTPS connections. This means that people can’t see what you’re searching for on Google.com — previously, anyone on the same Wi-Fi network would be able to see your searches. If a connection to Wikipedia is encrypted with HTTPS, people wouldn’t be able to see which article you’re viewing on Wikipedia. They could only see that you’re connected to Wikipedia.
Identifying HTTPS Websites
You can tell you’re connected to a website with an HTTPS connection if the address in your web browser’s address bar starts with https://. You’ll also see a lock icon, which you can click for more information about the website’s security. This looks a bit different in each browser, but all browsers have the https:// and lock icon in common.
When You Should Care
HTTPS is important whenever you’re logging into something or giving payment details. If you’re about to enter a password or other personal information, check your address bar and ensure that you’re on an HTTPS site. If you’re not, it’s not really safe to enter such sensitive data. Most websites should be doing this properly now, but a badly coded site may still send your sensitive data in unsecured plain-text if it’s set up to connect over HTTP.
HTTPS is also valuable because it provides some verification of website identities. If you’re using an unfamiliar network and you connect to your bank’s website, ensure that you see the HTTPS and the correct website address. This helps you ensure that you’re actually connected to the bank’s website, although it’s not a foolproof solution. If you don’t see an HTTPS indicator on the login page, you may be connected to an impostor website on a compromised network.
Avoiding Phishing Tricks
Some clever phishers have realized that people look for the HTTPS indicator and lock icon and may go out of their way to disguise their websites. You shouldn’t click links in phishing emails — but, if you do, you may find yourself on a cleverly disguised page. Nothing stops a scammer from getting a certificate for their scam server, so there’s nothing to stop scammers from using HTTPS as well — in theory, they’re only prevented from impersonating sites they don’t own. You may see an address like https://bankofamerica.com.3526347346435.com. In this case, you’re using an HTTPS connection, but you’re really connected to a subdomain of a site named 3526347346435.com — not Bank of America.
Other scammers may imitate the lock icon, changing their website’s favicon that appears in the address bar to a lock to try to trick you.
Bear in mind that the presence of HTTPS itself isn’t a guarantee a site is legitimate. It confirms you’re using an encrypted connection and provides some peace of mind that you’re connected to the right site, but even that isn’t completely guaranteed.