From time to time you may have noticed that, in the address bar of your browser, at the beginning of the URL and accompanied by the drawing of a padlock, the abbreviations HTTPS appear when you enter the websites that you visit every day. This is just an indication that your connection to the page is encrypted, is secure and is more difficult for someone to intercept it.
Many of the most popular websites already incorporate it. Facebook, Google, YouTube or Twitter are just some popular examples that everyone knows. However, and given that Google is about to declare the average Internet insecure through Chrome, it’s worth stopping to think about what HTTPS is and what it means not using it.
Before you begin to assess the possible implications, it is worth remembering what HTTPS is exactly. As we detailed in an earlier article, it is an encrypted extension of the traditional HTTP protocol. To perform this encryption, each HTTP connection is sent over an SSL or TLS layer.
The goal of using HTTPS answers two questions : firstly certifying that the web visited is legitimate, and secondly that it maintains the integrity and privacy of the connection data. Having covered these two aspects, you get protection against man-in-the-middle attacks.
In addition, it offers two-way encryption for communications between servers and clients, which protects against espionage and manipulation of communication contents. In practice, it serves as a reasonable guarantee that we are communicating with the web we want and not with an imposter, which also protects against phishing attacks, such as the one that occurred in the National Democratic Committee before the last presidential election From USA
Historically, HTTPS connections have been used primarily for economic transactions, e-mail and providing greater security to corporate communication systems. At the end of the decade of 2000 and beginning of the decade of 2010, its use began to be generalized to protect all type of websites.
How do you establish a connection with HTTPS?
In all encryption processes a key is needed to first encrypt the information and, secondly, make it readable. In the case of HTTPS it has to be unique for each session, and it must be generated without anyone else being able to know it.
For this purpose a technique known as asymmetric encryption is used, which uses a system based on two keys: one public and one private, exactly as explained in Genbeta Dev. These keys are a couple of numbers related in a somewhat special way, so that a message encrypted with a key can only be encrypted with its corresponding pair.
Put another way: if we want to enter our Gmail inbox, the output connection of our PC is encrypted with the public key. When that connection reaches the Google server, it is decrypted using the private key.
However, before the connection request arrives at its destination, the browser encrypts a prekey generated at the time with the public key of the server to which we want to connect. This is sent to the server, which decrypts the prekey with its private key. Both the server and the browser will apply a certain algorithm to the prekey and will get the same encryption key.
From this moment, overcome the stumbling block of the key exchange, client and server encrypt and decrypt the data with it. As no one else knows it, communications are, in theory, secure. This is what makes HTTPS important, since thanks to it our communications with the webs will be only between them and us.
Why is HTTPS important?
In the blog for Google developers especially affect that HTTPS itself is very important . The reasons we have mentioned above in a brief manner, but it is worth going into details to make it as clear as possible.
The use of HTTPS avoids espionage by intruders . Intruders range from malicious actors to legitimate companies that are considered invasive. In this last category would enter, for example, the Internet service providers or ISPs.
Attackers exploit unprotected communications to trick users, so as to provide sensitive information or install malware, as well as to insert unwanted or legitimate user resources in advertising. Google sets the example of third parties that insert advertising on websites that can ruin the user experience and create vulnerabilities in user security.
Intruders can also exploit every unprotected resource that moves between websites and users. These resources can be images, cookies, script, HTML code and so on. Intrusions can occur anywhere in the network: a home machine, a WiFi access point or a compromised ISP, for example.
A false, but widespread, idea is that HTTPS is only needed on websites that handle sensitive communications and information. Each unencrypted HTTP request can reveal information about users’ behaviors and identities.
The implementation of HTTPS on the Internet today
According to Statoperator, currently “only” 116,675 most popular web sites use HTTPS by default. As we can see, the trend of secure protocol implementation is on the rise, so we can speculate that in the future, more prominent websites will implement this encrypted communication system.
In an article published in Wired in March last year it is said that 79 of the top 100 websites use the HTTPS protocol. Of those 79, 67 use non-updated encryption technologies. Among the names that we can find in that list are names as important as those of the New York Times or IMDB.
Recently we, Weblogs SL, have implemented HTTPS throughout our blog network. The operation has been carried out by our systems department, where we are trying to “modernize and secure the platform”. The technical team had long wanted to implement the improvement, but it has not been until recently that we have been able to do so.
Many network giants , including Google, have stated that HTTPS is the future of the Internet. Keeping in mind that security and privacy are always a hot topic and that we are becoming more aware of the importance of good encryption, it is not surprising that these companies lead their cause.