Earlier this year, I spent a few hours exploring the world of HTTPS and SSL/TLS. The following Monday when some of my friends and family members asked me, “what have you been up to lately?” I began to bore them with wonderful tales of public/private encryption keys, hashing (preferably salted), and apache redirect configurations. Once I realized I had somewhat missed the mark of the appropriate level of conversation on a Monday morning, I quickly pivoted to sports and the weather. All that to say…I realize that cyber security isn’t always the most interesting topic (although I personally find it to be intriguing). However, I think it’s valuable to capture some general thoughts and ideas about the need for secure web sites and security aware users. This article is meant to be a light-hearted, high-level explanation of some simple concepts that all internet users should be informed about.
Is Your Connection Secure?
It’s an interesting question. Especially now that the Google Chrome web browser has labelled all web sites as one of the following three categories:
- Secure (valid / verified HTTPS)
- Info or Not Secure (HTTP)
- Not Secure or Dangerous (invalid HTTPS, stay clear of these)
Secure 
Info or Not Secure 
Not Secure
In the past Chrome (other browsers such as Safari still do) distinguished between different types of secure sites and presented some as a “green” lock. This is being phased out as a part of an industry-wide effort to make secure sites the norm by calling attention to any site that isn’t explicitly considered secure.
Why is it important for my connection to be secure?
The reality is that it’s becoming more and more difficult for you to keep your financial and confidential interactions entirely offline. Even if you somehow have managed to largely stay off the web, something as seemingly innocuous as searching for a car on Craigslist or checking your email over an insecure connection could have unforeseen consequences.
Let’s dive a little deeper by defining a few basic acronyms and technical terms.
Encryption is the process of encoding a message so that only the sender and the recipient can understand the content. Encryption requires a encryption scheme (algorithm) and a key (legend). A very simple example of this is a substitution cipher which many of you have most likely encountered on the back of a cereal box or perhaps on a school worksheet. The “cipher text” (encoded text) will be presented on the back of the cereal box and appears to be a jumble of nonsensical letters, numbers, or symbols.
Somewhere on the box (or maybe a nifty ring) is a key (legend) that tells you what each of the characters stands for..
Once you apply the key to the cipher text you end up with a readable message called the “plain text”. This is a very simplistic example of encryption and is obviously not very secure. Computers use advanced mathematical equations and large prime numbers to perform encryption that is very difficult to crack.
HTTP / HyperText Transfer Protocol
This is the language of web browsers and web servers. In short, it’s the foundation of why you can tag your friends on facebook and check your bank balance in seconds. However, HTTP was popularized back in the 90s when the internet was more of a novelty than the critical infrastructure it has become today. HTTP has enabled some very cool and inventive things, but it falls short when it comes to security.
By default HTTP sends all messages in the clear (not encrypted – which we covered above). This means a clever hacker can listen to your message and read information as it travels from your computer to the server.
HTTP is also a bit naive because it trust that any message it receives is from whom it claims to be without demanding any proof. This is another dangerous vulnerability that hackers can exploit by pretending to be a site that they are not. Under the right circumstances a malicious actor could trick your browser into thinking { www.my-bank-site.com } should actually go to { www.give-me-all-your-money.com }. If they made a very convincing site you may be caught off guard and enter your credentials into the “fake” site. Once the hacker has your credentials he may login to your actual account and steal your actual money.
This may be the point where you say “I don’t bank online, so what do I care if they steal my password for netflix.com”? The potential danger arises if you use the same password for several accounts / sites as many people do. Once the attacker has a set of credentials they will attempt to login to a huge list of predefined sites with an automated tool. If they are successful on a more lucrative target which shares that same password you may still have a problem.
Note: Now that every place you go wants you to login, it is very hard not to reuse passwords. I personally use a password vault called LastPass which I highly recommend.
SSL / TLS –Secure Socket Layer / Transport Layer Security
(TLS is essentially just the new and improved version of SSL)
This is the magic fairy dust that can make a HTTP connection secure. It’s all about, you guessed it….encryption. There is certainly more complexity involved, so if you are curious click the Wikipedia link in the section header to learn about symmetric vs. asymmetric cryptography, public vs. private keys, and digital certificates..
HTTPS – Hypertext Transfer Protocol Secure or HTTP over SSL/TLS
HTTPS provides the internet you know and love with the added benefits of privacy and integrity. It’s still possible for someone to “listen” in on your conversation; however since the data is encrypted only the true recipient can decrypt the message with the key.
It’s also still possible for a hacker to impersonate a popular site. However, all modern web browsers validate HTTPS sites using their digital certificate. If you run across a message like this, stay clear, something fishy is going on.
All that to say…enjoy these two newly secured websites.
You must be logged in to post a comment.