I’m not stupid, but: what is https about?

Any tech-geek followers of my blog will probably know this inside out, so this one is for the rest of you.

My next entry in the I’m not stupid, but… series is about the difference between http and https in web URLs. We’re all told https is more secure, but there’s a shroud of mystery about what this actually means.

In a nutshell:

• https prevents anyone but you and the owner of the web site reading your communications.
• At a public internet connection, not using https means anyone in that same location can steal your login sessions at any sites you visit while there.
• The certificate proves the owner of the site you are visiting is who they say they are.

When you visit a web site, you are communicating with a computer somewhere else in the world in a language called HTTP. This communication, like all internet traffic, is a bit like sending a letter in the post. The data you send travels from router to router much like a letter travels from sorting office to sorting office until it arrives at its destination.

Just like in the mail, anyone in between you and the destination can open the envelope and read the data contained within. This data could be your username and password when filling in a form, or it could be data coming back from the site with, for example, your bank balance. Moreover, in order that you not have to log in to every page on a site, your browser will usually send something with each communication called an authentication cookie which proves you are already logged in.

The most dangerous place for this kind of information free-for-all is a shared internet connection, such as in a coffee shop. This is a bit like everyone sharing the same post box – when someone goes to put a letter in, they can reach out and grab yours along with it and read anything in it. This type of security breach is easily demonstrated with something called Firesheep, which displays the secret authentication cookies of anyone using non-https sites at the same location as the user and allows that person to steal these login sessions.

A URL beginning https means the HTTP is placed inside something called SSL. SSL is encrypted data: in the mail analogy it is like a special armoured envelope that can only be opened by the recipient to whom you have addressed it. The recipient can still do what he/she likes with the data but no one in between has access to it.

If the site has https for the login form, this will prevent people stealing your password, but if it then redirects you to a plain http site once you are logged in, you are still at risk because your browser is still sending the authentication cookie with every request and other users can use this to “prove” they are you.

Example of certificate information

The final piece of this puzzle is the certificate.

When you visit a web site using https, the browser will look for proof that the site is who it is supposed to be (and not, for example, someone who has stolen the domain name or a rogue internet provider re-routing the traffic). The proof comes in the form of a digital certificate signed by a company that has done a quick background check on the company supposedly in charge of the site.

In the example illustrated, Twitter’s certificate is signed by VeriSign. Because your browser is pre-programmed to trust VeriSign (with its own signed certificate!), the chain of trust is complete.

If you visit a site with https that does not present a certificate, or the certificate is signed by someone your browser does not trust, you will be presented with a large warning advising you to be cautious before proceeding. When this happens, what your browser is telling you is that your data is still unable to be read by anyone except you and the owner of the site, but it can’t verify the owner of the site is who they say they are.

The warning is a bit scary, considering it is still safer than visiting a site using only http, where anyone can read your data and no background checks are done on the owner at all.

The moral of this tale is:

If you are ever logging into a service, and you value the data you are providing to that service, please ensure that service is using https URLs throughout.

Some sites, such as Twitter and Facebook, require you to enable this option in your settings, and it is very wise to do so. Many other sites simply do not support this. If you consider your data valuable, please write to the provider of the service, requesting that they enable this feature!