HTTPS, the lock icon in the address bar, an encrypted website connection—it’s known as many things. While it was once reserved primarily for passwords and other sensitive data, the entire web is gradually leaving HTTP behind and switching to HTTPS.
The “S” in HTTPS stands for “Secure”. It’s the secure version of the standard “hypertext transfer protocol” your web browser uses when communicating with websites.
How HTTP Puts You At Risk
When you connect to a website with regular HTTP, your browser looks up the IP address that corresponds to the website, connects to that IP address, and assumes it’s connected to the correct web server. Data is sent over the connection in clear text. An eavesdropper on a Wi-Fi network, your internet service provider, or government intelligence agencies like the NSA can see the web pages you’re visiting and the data you’re transferring back and forth.
There are big problems with this. For one thing, there’s no way to verify you’re connected to the correct website. Maybe you think you accessed your bank’s website, but you’re on a compromised network that’s redirecting you to an impostor website. Passwords and credit card numbers should never be sent over an HTTP connection, or an eavesdropper could easily steal them.
These problems occur because HTTP connections are not encrypted. HTTPS connections are.
How HTTPS Encryption Protects You
HTTPS is much more secure than HTTP. When you connect to an HTTPS-secured server—secure sites like your bank’s will automatically redirect you to HTTPS—your web browser checks the website’s security certificate and verifies it was issued by a legitimate certificate authority. This helps you ensure that, if you see “https://bank.com” in your web browser’s address bar, you’re actually connected to your bank’s real website. The company that issued the security certificate vouches for them. Unfortunately, certificate authorities sometimes issue bad certificates and the system breaks down. Although it isn’t perfect, though, HTTPS is still much more secure than HTTP.
When you send sensitive information over an HTTPS connection, no one can eavesdrop on it in transit. HTTPS is what makes secure online banking and shopping possible.
It also provides additional privacy for normal web browsing, too. For example, Google’s search engine now defaults to HTTPS connections. This means that people can’t see what you’re searching for on Google.com. The same goes for Wikipedia and other sites. Previously, anyone on the same Wi-Fi network would be able to see your searches, as would your Internet service provider.
Why Everyone Wants to Leave HTTP Behind
HTTPS was originally intended for passwords, payments, and other sensitive data, but the entire web is now moving towards it.
In the USA, your Internet service provider is allowed to snoop on your web browsing history and sell it to advertisers. If the web moves to HTTPS, your Internet service provider can’t see as much of that data, though—they only see that you’re connecting to a specific website, as opposed to which individual pages you’re viewing. This means much more privacy for your browsing.
Even worse, HTTP allows your Internet service provider to tamper with the web pages you’re visiting, if they want. They could add content to the web page, modify the page, or even remove things. For example, ISPs could use this method to inject more advertisements into web pages you visit. Comcast already injects warnings about its bandwidth cap, and Verizon has injected a supercookie used for tracking ads. HTTPS prevents ISPs and anyone else running a network from tampering with web pages like this.
And, of course, it’s impossible to talk about encryption on the web without mentioning Edward Snowden. The documents leaked by Snowden in 2013 showed that the US government is monitoring the web pages visited by Internet users around the world. This lit a fire under many technology companies to move towards increased encryption and privacy. By moving to HTTPS, governments around the world have a tougher time viewing all your browsing habits.
How Browsers Are Encouraging Websites to Dump HTTP
Because of this desire to move to HTTPS, all the new standards designed to make the web faster require HTTPS encryption. HTTP/2 is a major new version of the HTTP protocol supported in all major web browsers. It adds compression, pipelining, and other features that help make web pages load faster. All web browsers require sites to use HTTPS encryption if they want these useful new HTTP/2 features. Modern devices have dedicated hardware to process the AES encryption HTTP requires, too. This means that HTTPS should actually be faster than HTTP.
While browsers are making HTTPS attractive with new features, Google is making HTTP unattractive by penalizing websites for using it. Google plans to flag websites that don’t use HTTPS as unsafe in Chrome, and Google wants to prioritize websites that use HTTPS in Google search results. This provides a strong incentive for websites to migrate to HTTPS.
How to Check if You’re Connected to a Website Using HTTPS
You can tell you’re connected to a website with an HTTPS connection if the address in your web browser’s address bar starts with “https://”. You’ll also see a lock icon, which you can click for more information about the website’s security.
This looks a bit different in each browser, but most browsers have the https:// and lock icon in common. Some browsers now hide the “https://” by default, so you’ll just see a lock icon next to the website’s domain name. However, if you click or tap inside the address bar, you’ll see the “https://” part of the address.
If you’re using an unfamiliar network and you connect to your bank’s website, ensure that you see the HTTPS and the correct website address. This helps you ensure that you’re actually connected to the bank’s website, although it’s not a foolproof solution. If you don’t see an HTTPS indicator on the login page, you may be connected to an impostor website on a compromised network.
Watch Out for Phishing Tricks
The presence of HTTPS itself isn’t a guarantee a site is legitimate. Some clever phishers have realized that people look for the HTTPS indicator and lock icon, and may go out of their way to disguise their websites. So you should still be wary: don’t click links in phishing emails, or you may find yourself on a cleverly disguised page. Scammers can get certificates for their scam servers, too. In theory, they’re only prevented from impersonating sites they don’t own. You may see an address like https://google.com.3526347346435.com. In this case, you’re using an HTTPS connection, but you’re really connected to a subdomain of a site named 3526347346435.com—not Google.
Other scammers may imitate the lock icon, changing their website’s favicon that appears in the address bar to a lock to try to trick you. Keep an eye out for these tricks when checking your connection to a website.