Proton

Privacy Decrypted #5: How HTTPS keeps you safe (but not private)

HTTPS is the backbone that keeps everyone safe and secure on the internet. However, it does little to prevent you from being tracked online.

When you surf the web, you connect to websites using the Hypertext Transfer Protocol (HTTP), first developed by Sir Tim Berners-Lee (who is now a member(new window) of Proton’s advisory board).

Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP, using the TLS encryption protocol(new window) to secure web connections. It is the cornerstone of all security on the internet, making possible much of what we take for granted being able to do on the internet.

This includes securing all financial transactions, such as making online purchases and managing your bank account online.

It wasn’t long ago that most of the internet was terrifyingly insecure, with most websites using simple HTTP. However, thanks in large part to the not-for-profit Let’s Encrypt(new window) project, which started in 2015 and has now issued free HTTPS certificates to over 265 million websites(new window), use of HTTPS websites is now almost ubiquitous.

HTTPS is most often associated with ensuring that browser connections to websites are secure, and, for simplicity, in this article we shall discuss it in this context. However, HTTPS is also used by mobile apps to secure the connection to their backend servers.

What does HTTPS secure?

HTTPS secures the connection between your browser and a website. If you visit a website using regular (non-secure) HTTP then your ISP can see everything you do on that website — which individual pages you visit and any data you input (such as your credit card details when making a payment).

Because all data transferred between the website and your browser is unencrypted, it can be intercepted and read by criminal hackers, government agencies, or anyone who cares to look. 

If a website uses HTTPS, all of this information is hidden from your ISP. All it can see is that you have visited the website — not what you do on it. And because the connection between your browser and the web server is encrypted, your data is secure against third parties. Thanks to the widespread uptake of HTTPS (see below), it is now usually safe to use public WiFi hotspots without the need for a VPN. 

The website owner, of course, can see what you do on their own website, and (unless you take steps to prevent it, such as using a VPN(new window) to hide your real IP address), will know who you are.

What HTTPS does not hide from outside observers is that you have visited a website (or used an app), when you visited it, how often you visited it, or how long you stayed on that website. In other words, it does not prevent the collection of metadata. 

This is important from a privacy perspective, as it does not take a genius to guess the political affiliation of someone who regularly visits gop.com(new window), the sexual orientation of someone who uses the Grindr app, or that someone who visits maternity websites is likely to be pregnant. This is true regardless of the fact that whoever is watching doesn’t know what the visitor does once on those platforms.

So it can be said that HTTPS keeps you secure online, but it does little to protect your privacy (again, this is something a VPN can help with). 

Learn more about the difference between anonymity, security, and privacy(new window)

How to tell if a website uses HTTPS

All browsers implement a security measure that allows you to check, at a glance, if the website you are visiting secures the connection using HTTPS. Simply look for the closed lock icon in the URL bar. For example:

Chrome desktop showing that a wesite is protected with HTTPS(new window)
Chrome browser on the desktop showing that a website is secured using HTTPS
Firefox for Android showing that a wesite is protected with HTTPS(new window)
Firefox browser for Android showing that a website is secured using HTTPS

Browsers will also clearly show when a website is not secured by HTTPS. For example:

Chrome desktop showing that a website is not protected with HTTPS(new window)
Chrome browser on the desktop showing that a website is not secured using HTTPS
Firefox for Android showing that a website is not protected with HTTPS(new window)
Firefox browser for Android showing that a website is not secured using HTTPS

How does HTTPS work?

HTTPS secures the connection between a web browser and a web server with TLS encryption. 

The actual encryption algorithms used are negotiated between the web server and the client (browser). Most browsers allow you to click or tap on the lock icon to learn more security details about the encryption algorithms used for the HTTPS connection.

Chrome browser for Android

HTTPS uses the X.509 Public Key Infrastructure (PKI) to negotiate a new connection. This is an asymmetric encryption system that uses public key cryptography to secure the key exchange. That is, the web server presents a public key, which is decrypted using a browser’s private key.

To ensure your browser is connecting to the server it thinks it’s connecting to (and thus preventing man-in-the-middle attacks), X.509 uses HTTPS certificates. These are small data files that digitally bind a website’s public cryptographic key to an organization’s identity.

HTTPS certificates are issued by a Certificate Authority (CA), an organization that has (at least in theory) verified that it can be trusted to only issue certificates to valid organizations. Whether a browser accepts the HTTPS certificates issued by a particular organization depends on the browser developers.

As of mid-2020, Mozilla Firefox accepted certificate issues by 52 Certificate Authorities, macOS (and therefore Safari) recognized 60 CAs, and Microsoft Windows (and therefore Edge Chromium) 101 CAs.

Learn more about TLS encryption(new window)

Is HTTPS secure?

Yes. HTTPS secures every one of the millions of financial transactions that occur every minute around the world. If HTTPS weren’t secure, there would be a global meltdown. 

This isn’t to say there are no issues with the standard. CAs can be (and have been(new window)) pressured by governments to issue HTTPS certificates to dubious websites, or can be hacked by criminals to issue fake certificates.

Research has also suggested that in a highly targeted attack, it might be possible to use HTTPS traffic analysis(new window) to uncover the individual web pages a target visits on HTTPS-secured websites. 

Since the encryption used is negotiated between the client and the browser, it’s also important that both of these are running up-to-date software. 

These are issues we may discuss in more detail in a future episode of Privacy Decrypted.  The bottom line, however, is that the world relies on HTTPS to keep us safe online, and it does a very good job at doing this.

It is worth bearing in mind, though, that security is not the same as privacy. If you wish to keep your metadata (which can reveal a huge amount about you) private then you should protect it using a VPN when you surf the web. 

Related articles

laptop showing Bitcoin price climbing
en
  • Privacy guides
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
  • Product updates
  • Proton Pass
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.