Busting myths about https (secure)

Busting myths about https (secure)

Here’s some good information about what’s https is, and what it is for. It’s about the need of https and what https doesn’t deal with. This article is aimed at general audience without much technical knowledge. If you are too busy like me, jump straight to the TL;DR section.

What’s this https?

You might have noticed that a lot of sites begin with a https link instead of the earlier http links. Or maybe you have seen the padlock icon before the urls. It indicates that you are connected to the website using a secure connection. It means that the data transferred between your web browser (chrome, firefox, safari, edge, etc.) and the web server (where the website lies) is secure, and the site is the one which the url points to. Technically the connection is encrypted using TLS/SSL.

Does https make a website secure?

No, https doesn’t itself make a site secure. Nor is it designated to make a site secure. Actually, https only secures the connection and data transfer between the web server and your web browser (chrome, firefox, safari, edge, etc.). So, when you browse a site that has the https in the url, it ensures that the site isn’t modified anywhere in between on the network while it reaches you. Moreover, the data you submit/send on the site like email, passwords, credit card details, etc. also gets encrypted and cannot be read/modified any where on the internet during transit. Consider https as just the first step towards website security.

Basically it encrypts the data transfer (connection) between your browser and website server. That protects you from man in the middle attacks. It doesn’t mean that the website stores or processes your data securely. Nor does it assure that the website provides correct information or cares for your privacy. But you can rest assured that you see exactly what the website sends; and any data isn’t manipulated/read during transit irrespective of your internet connection. Also note that it’s not safe to connect to popular websites over http that already are on https; because that most often happens only when someone is eavesdropping on your network/internet connection.

What’s the need for https?

Https or ‘Hyper Text Transfer Protocol secure’ is needed to ensure that the nobody like your internet service provider (ISP) can read or manipulate the content while it’s traveling to and from you. If you use open hotspot or public wifi, then https mitigates a lot of risk and ensures secure access to those sites that you connect using https.

Without https any device that lies on the network in-between your browser and web server can probably read as well as change the look, feel and content of the website you are visiting (provided that’s being done, etc, etc.). And if you submit personal information, passwords, etc. it could be read or changed too. So, imagine you are accessing internet through a public wifi at a coffee shop. And lots of unknown people are also connected to the same wifi network. You even don’t know or trust the coffee shop owner much. There lies the risk that anybody among them might be reading the password you use while logging in on a site that isn’t secured using https.

Apart from this https is pretty much the industry standard now, and is also necessary from the SEO point of view. Therefore, https is a must and you shouldn’t trust websites that aren’t connected using https.

What it doesn’t secure?

Https doesn’t make the website itself secure, it only secures the connection between you and the website. The website might have malicious content/malware or might store or process user data in an insecure manner. It doesn’t certify that the information provided by any website is correct. Therefore, it doesn’t make a website trustworthy.

It doesn’t secure your device or browser. For example, if your device has got some malware/virus, hackers might still be able to read/change the content. If your employer installed some employee monitoring software, he/she might be able to monitor what you do on your office computer. Same way it doesn’t ensure the security of the website server either. You might know that even tech giants have faced data leaks and other security issues.

I own a website that isn’t https!

If you have a website which isn’t https, then you should consider make it https enabled and setup auto redirection from http to https. You want to get it ranked on search engines (like Google), right? Sites without https are getting labelled as insecure in the url bar. Your customers might even start losing confidence on the website sooner or later.

What’s more, most hosting providers support free TLS/SSL certificates through letsencrypt. And it’s not a herculean task to enable https either. Ask you web developer to enable https or contact us and we would do that for you.

TL;DR

  • Https makes the connection between the site and browser secure.
  • It doesn’t ensure the security or trustworthiness of the website.
  • Don’t trust websites that don’t have https://.
  • Https is just the first step towards the security of a website.
  • It’s of utmost importance while using public wifi/open hotspots.
  • It doesn’t protect you from in-secure device or other vulnerabilities.
  • Https is the industry standard and important for SEO.
  • If you own a website without https, its high time to enable https on it.

Leave a Reply