Secure websites
I’m often asked about secure websites. For example, should you trust the connection with your computer and your bank’s website? The article is going to get a little technical, but hopefully will give you the tools to know which websites are secure, and which aren’t, from now on.
There has been a secure encryption using protocol around for a long time called secure sockets layer (SSL), which has been modified and labelled Transport Layer Security (TLS) which can be used in most client/server relationships. By adding the HTTP protocol over TLS, this makes the web based session encrypted. The S in HTTPS stands for secure.
This is the difference between HTTP and HTTPS, which should be easy to see in the URL bar at the top of most browsers. Does the URL start with http:// or https://? If it doesn’t start with either, it’s likely not encrypted, meaning many people can see everything you do on that website!
So we know that if we don’t want people digitally eavesdropping or doing what is called a the man-in-the-middle (MITM) attack, we need to make sure the website we’re going to is using https:// at the beginning. Several modern browsers will also add a padlock icon or a different colour if you’re using an HTTPS connection successfully. If the padlock is broken, the connection shouldn’t be trusted as there is likely an issue with the server’s TLS certificate.
Are you with me so far? You should not put any personal information into any website that does not use HTTPS properly, and you should remember that everything you do on a plain HTTP website can be monitored, logged, and used against you forever.
The Electronic Frontier Foundation (EFF) partnered with the Tor project to release HTTPS Everywhere which is a plugin that works with both Chrome and Firefox that automatically tries to redirect your browser to the secure version of any website you visit.
The next article in this series is going to explain how simply using HTTPS is no longer good enough on its own, but is the first step in understanding how we need to start ensuring our HTTPS sessions are using Perfect Forward Secrecy.