Phishing 101: What You Need To Know About This Security Scam Psst: CISOs and experts, this is one of our beginner-oriented articles! If you're...
The S in HTTPS Means Safe (Not!)
Do you know what the S in HTTPS means?
You’ve probably heard all about HTTPS. You know not to enter your credit card information into an HTTP website and to look for the lock icon before you type in a username or password.
But is HTTPS really as safe as you think it is? In this post, we talk about what HTTPS does for you and what it doesn’t.
What’s the Difference Between HTTP and HTTPS?
Before getting into some of the common misconceptions about HTTPS, it’s good to understand the main differences between HTTP and HTTPS.
HTTP is an Internet protocol for transferring web content from a server to a client (that’s you) It’s mainly designed to ensure that you get the data that you’ve asked for and handles all of the formattings, downloading images and videos, etc.
To understand the difference between HTTPS and HTTPS, let’s use an example from the postal system. Consider the differences between mailing a postcard and a letter. With a postcard, everyone can see what you’ve written and who it’s going to, so there isn’t much privacy. That’s HTTP.
HTTPS is more like sending a letter. Just like letters and postcards use the same format for conveying information (writing), HTTPS uses the HTTP protocol to ensure that you get what you ask for. However, it adds an extra level of security (like an envelope) to make sure that no one knows exactly what you’re writing.
With HTTPS, someone can see who you’re talking to (just like an address on a letter) but that can’t see the data being transmitted.
Common Misconceptions About HTTPS
From cybersecurity training, many people have gotten the impression that any site with HTTPS is 100% safe.
Unfortunately, that’s not the case. In this section, we’ll talk about some of the most common misconceptions that people have about HTTPS.
Any Website Using HTTPS IS legitimate
One of the biggest threats associated with phishing attacks is that you’ll go to a website that looks legitimate but isn’t. Going back to our mail example, this would be like someone putting a fake return address on a letter so that you think it’s from someone that you know.
One of the benefits of HTTPS is that it includes address verification. If you see a lock icon in the URL bar, it means that the website that you’re seeing is the real thing. Only the true owner of that URL could include the certificate that your browser checks for before showing the lock.
What HTTPS doesn’t promise is that the site that you’re looking at is the one that you expect. Phishers can and do get valid certificates for URLs that look very similar to the real thing
(i.e. thecyberrnanaics.com instead of thecybermaniacs.com). In fact, about a quarter of phishing sites uses HTTPS to trick you into giving away your personal information.
Everything is Private with HTTPS
Many people believe that HTTPS protects all of your information. If you’re using HTTPS, then no one knows what site you’re visiting, what information is being sent, etc. Unfortunately, this isn’t 100% true for two main reasons.
To understand the first, we need to dive into something called DNS. When you visit a website, you’re probably typing in a URL like thecybermaniacs.com. However, your computer uses IP addresses to talk to other computers. So how does your computer get from a URL to an IP address?
Just like you (used to) use a phonebook to look up a phone number from someone’s name, your computer uses DNS to lookup an IP address from a name. If your computer doesn’t already know the answer, it asks one or more DNS servers if they do.
Someone snooping on your Internet traffic can learn where you’re browsing based on the DNS questions that your computer asks.
Even if the snooper doesn’t see your DNS traffic, they can still find out where you are browsing. Every time you use HTTPS to communicate, the IP address of the server that you’re talking to is visible to allow it to be properly routed through the Internet.
Anyone who sees that IP address could find out what web pages are hosted on that computer and get a decent guess at what you’re looking at.
But why do you care if they know where you’re browsing? What if the website is only about an embarrassing medical condition? Or what if you’re on your bank’s website? Any information that a hacker can gather can be used to build a profile for a spear-phishing attack.
How to Browse Securely
The only way to be completely safe on the Internet is not to use it. However, that isn’t really an option in the modern world. By following these tips, you can dramatically decrease your chances of falling prey to a phishing scheme.
As we discussed previously, a favorite tactic of hackers is to use a URL that looks like the site you want in order to steal your sensitive data. Before you enter any data into a website (passwords, credit card information, etc.), please double-check the URL to make sure that you’re actually on the site that you think you’re on. If you’re unsure if it’s the “right” URL, Google is your friend.
Look for that Lock Icon
HTTPS has its flaws, but it’s still better than HTTP. When you’re using the Internet, always check to see if a site uses HTTPS. If not, consider whether or not you really want to use and trust it. Setting up HTTPS takes less than half an hour and is completely free. If a site owner can’t be bothered to do that, are you sure they’ve bothered to do the rest of their job (verifying the accuracy of the data on their site) properly?
Think Twice Before Entering Sensitive Information
Data breaches are in the news, and it’s obvious that a lot of organizations don’t really care about properly protecting your personal information. Before entering any data into a website (even if it’s the correct URL and using HTTPS), think about whether or not that organization really needs the information that they’re asking for. If not, maybe you should think twice about giving it to them.
VPNs May Be a Good Idea
The main issue with HTTPS is that it doesn’t provide complete privacy. Virtual Private Networks (VPNs) are a potential solution to this. By hiding all of your traffic within an encrypted tunnel between you and the VPN endpoint, they ensure that eavesdroppers can learn nothing about your browsing from watching that connection. VPNs should always be used for remote connections to corporate networks and have many personal uses as well.
Is HTTPS Worth Using?
Definitely yes. Despite its shortcomings, HTTPS is much better than plain HTTP. However, it’s important to take that extra second to double-check everything before giving away your personal information to a hacker.
More from the Trenches!
Remote Working Was On The Move Even Before March 2020 Offering a new set of pros (flexibility, larger area to source talent from) and cons (lack of...