As the web integrates deeper into our lives, terms like security, privacy, encryption, SSL and HTTPS are being talked about more and more. But what is HTTPS and why do we need it?
What is it?
When you request a website by typing www.webaddress.com into your web browser, it sends a request over the internet to a server that hosts the website to ask them to send you the page you want. In order to negotiate the action that you wish to perform, a protocol is used to define how that request is sent and interpreted.
The default communication protocols for accessing web pages are HyperText Transfer Protocol (HTTP), and HyperText Transfer Protocol Secure (HTTPS).
The difference between the two is that HTTP communication is transported in plain text, and HTTPS communication is encrypted. Think of it as letters being sent through the post, HTTP messages are written on a postcard, anyone who handles it can read it, and the HTTPS messages are written on the same sort of postcard, but it is in a sealed envelope, now the people who handle the messages can’t read the message inside.
In reality the HTTPS message would have no envelope and instead the text would be scrambled, but you get the idea.
How it works
The reason I use the envelope analogy is because the processes that send and receive messages still work in plain text, just like HTTP, the difference is that there is a service in-between the browser sending the message and the server receiving it at the other end that handles the encryption. At one end the messages is put into an envelope, and at the other end it is taken out.
Public/Private Key Cryptography
The service that does this encryption used to be Secure Sockets Layer (SSL), this has now been replaced with Transport Layer Security (TLS). It works by using a type of encryption called public-private key cryptography.
A large and randomly generated sequence of numbers is used to create a pair of related keys, or passwords. One is the public key which anyone can use to encrypt messages that they send to you, and one is the private key, which the receiver uses to decrypt the messages.
When you request a website using HTTPS, the TLS layer opens a connection to the server which sends back its public key. A new encryption key is then generated that will then be used to encrypt your communications in this session, known as a shared secret. Both your computer and the server can now send encrypted messages to each other that only you and the server can decrypt.
Verifying the sender
So we can establish secure messaging with the server, this prevents anyone from eves-dropping on your message exchange, and verifies that no-one has tampered with or altered the message (Through a verification code sent with each message). But how do we know that the service we initially setup the communications with is the service we want, and not a "man in the middle" pretending to be the service?
This is where SSL certificates come in. An SSL certificate is essentially a text document with a public and private key in it, along with a cryptographic signature. SSL Certificates are issued by a Certificate Authority (CA), and are signed with the CA’s SSL certificate, called a root certificate, which comes pre-installed in your browser.
As you trust the CA’s certificate, and it can be used to verify the SSL certificate from the server you want to communicate with. By extension you can trust that the server certificate is from who it says it is from, as the CA would not have issued it to anyone else. It is like asking a trusted friend who knows the person you want to talk if they are cool!
What if the connection is not secure when it should be?
If you visit a website that uses HTTPS, but the padlock symbol has an error icon on it, be sure to click it and read why the connection may not be secure.
You should also email the company to let them know that there is an issue with their security. This is especially important for ecommerce checkouts, never enter your details unless the connection is secure.
Not all encryption is equal
I am visiting a website, it uses HTTPS and there is a green padlock next to the web address in the address bar – great! My connection is secure – well not necessarily.
When your browser is negotiating a secure connection with a server, it advertises which encryption algorithms it supports, the server will try and use the most secure algorithm both parties support. Over time new, more secure algorithms are deployed as hackers or security researchers find insecurities in the old ones, so it is important for servers to keep their security up to date.
Supporting old algorithms on a server leaves it vulnerable to man-in-the-middle downgrade attacks. This is where the initial connection packets are intercepted and rewritten, advertising that the client only supports older weaker encryption methods. Then after the connection is secured, the "man in the middle" can decrypt the data using flaws in the weaker encryption.
Browser vendors are aware of this issue and having the latest updates for your browser will ensure that you cannot access sites that support out of date encryption algorithms, and if you run a secure server you should also check your SSL implementation.
Encryption: Why is it important?
We have all heard of Edward Snowden, the former NSA contractor who blew the whistle on United States governments’ secret spying program. That was the biggest and most high profile example of how data about us can be hoovered up without our knowledge and used for illicit activities. But the fact is that there were plenty of concerns about the privacy of our data before this drama unfolded, so should we be concerned about our data privacy?
Knowing which websites you visit, at what times of day, what you do on them or post on them, what are interests are, who our friends are, what our political views are, when all this information is put together, it can paint an intimate narrative of a person.
Our information is valuable, and without control over it, we are at risk of being exploited by it. In most cases this may be companies profiling us into age, demographic and belief categories to better sell to us, but in the case of Snowden, the NSA were expanding their capabilities far beyond their remit of national security, and making the ability to snoop on anyone, for any purpose, available to a wide array of agencies.
Governments argue that encryption diminishes their ability to fight crime and terrorism, and that it should either be banned or they should have backdoors into it to enable them to decode our messages. But without privacy, how can we prevent our information being exploited?
On a higher level, how can we present our views without government interference and make sure our democratic government is accountable to all its people, not just the majority? And as for backdoors to encryption - there is no such thing as a backdoor just for good guys.
For most of us, we should understand how encryption works and why we need it, but leave the complexities of encryption implementation to the techy people that understand it. Instead we should benefit from its availability, use it where possible, and be a champion of its use in the websites we visit, apps we use, and systems we have influence over.
If you want to improve your data security policies in your organisation, our tool 360data will help you navigate the systems, policies, and procedures you should have in place to keep control over your data.