Proton

Privacy Decrypted #5: How HTTPS keeps you safe (but not private)

HTTPS is the backbone that keeps everyone safe and secure on the internet. However, it does little to prevent you from being tracked online.

When you surf the web, you connect to websites using the Hypertext Transfer Protocol (HTTP), first developed by Sir Tim Berners-Lee (who is now a member(new window) of Proton’s advisory board).

Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP, using the TLS encryption protocol(new window) to secure web connections. It is the cornerstone of all security on the internet, making possible much of what we take for granted being able to do on the internet.

This includes securing all financial transactions, such as making online purchases and managing your bank account online.

It wasn’t long ago that most of the internet was terrifyingly insecure, with most websites using simple HTTP. However, thanks in large part to the not-for-profit Let’s Encrypt(new window) project, which started in 2015 and has now issued free HTTPS certificates to over 265 million websites(new window), use of HTTPS websites is now almost ubiquitous.

HTTPS is most often associated with ensuring that browser connections to websites are secure, and, for simplicity, in this article we shall discuss it in this context. However, HTTPS is also used by mobile apps to secure the connection to their backend servers.

What does HTTPS secure?

HTTPS secures the connection between your browser and a website. If you visit a website using regular (non-secure) HTTP then your ISP can see everything you do on that website — which individual pages you visit and any data you input (such as your credit card details when making a payment).

Because all data transferred between the website and your browser is unencrypted, it can be intercepted and read by criminal hackers, government agencies, or anyone who cares to look. 

If a website uses HTTPS, all of this information is hidden from your ISP. All it can see is that you have visited the website — not what you do on it. And because the connection between your browser and the web server is encrypted, your data is secure against third parties. Thanks to the widespread uptake of HTTPS (see below), it is now usually safe to use public WiFi hotspots without the need for a VPN. 

The website owner, of course, can see what you do on their own website, and (unless you take steps to prevent it, such as using a VPN(new window) to hide your real IP address), will know who you are.

What HTTPS does not hide from outside observers is that you have visited a website (or used an app), when you visited it, how often you visited it, or how long you stayed on that website. In other words, it does not prevent the collection of metadata. 

This is important from a privacy perspective, as it does not take a genius to guess the political affiliation of someone who regularly visits gop.com(new window), the sexual orientation of someone who uses the Grindr app, or that someone who visits maternity websites is likely to be pregnant. This is true regardless of the fact that whoever is watching doesn’t know what the visitor does once on those platforms.

So it can be said that HTTPS keeps you secure online, but it does little to protect your privacy (again, this is something a VPN can help with). 

Learn more about the difference between anonymity, security, and privacy(new window)

How to tell if a website uses HTTPS

All browsers implement a security measure that allows you to check, at a glance, if the website you are visiting secures the connection using HTTPS. Simply look for the closed lock icon in the URL bar. For example:

Chrome desktop showing that a wesite is protected with HTTPS(new window)
Chrome browser on the desktop showing that a website is secured using HTTPS
Firefox for Android showing that a wesite is protected with HTTPS(new window)
Firefox browser for Android showing that a website is secured using HTTPS

Browsers will also clearly show when a website is not secured by HTTPS. For example:

Chrome desktop showing that a website is not protected with HTTPS(new window)
Chrome browser on the desktop showing that a website is not secured using HTTPS
Firefox for Android showing that a website is not protected with HTTPS(new window)
Firefox browser for Android showing that a website is not secured using HTTPS

How does HTTPS work?

HTTPS secures the connection between a web browser and a web server with TLS encryption. 

The actual encryption algorithms used are negotiated between the web server and the client (browser). Most browsers allow you to click or tap on the lock icon to learn more security details about the encryption algorithms used for the HTTPS connection.

Chrome browser for Android

HTTPS uses the X.509 Public Key Infrastructure (PKI) to negotiate a new connection. This is an asymmetric encryption system that uses public key cryptography to secure the key exchange. That is, the web server presents a public key, which is decrypted using a browser’s private key.

To ensure your browser is connecting to the server it thinks it’s connecting to (and thus preventing man-in-the-middle attacks), X.509 uses HTTPS certificates. These are small data files that digitally bind a website’s public cryptographic key to an organization’s identity.

HTTPS certificates are issued by a Certificate Authority (CA), an organization that has (at least in theory) verified that it can be trusted to only issue certificates to valid organizations. Whether a browser accepts the HTTPS certificates issued by a particular organization depends on the browser developers.

As of mid-2020, Mozilla Firefox accepted certificate issues by 52 Certificate Authorities, macOS (and therefore Safari) recognized 60 CAs, and Microsoft Windows (and therefore Edge Chromium) 101 CAs.

Learn more about TLS encryption(new window)

Is HTTPS secure?

Yes. HTTPS secures every one of the millions of financial transactions that occur every minute around the world. If HTTPS weren’t secure, there would be a global meltdown. 

This isn’t to say there are no issues with the standard. CAs can be (and have been(new window)) pressured by governments to issue HTTPS certificates to dubious websites, or can be hacked by criminals to issue fake certificates.

Research has also suggested that in a highly targeted attack, it might be possible to use HTTPS traffic analysis(new window) to uncover the individual web pages a target visits on HTTPS-secured websites. 

Since the encryption used is negotiated between the client and the browser, it’s also important that both of these are running up-to-date software. 

These are issues we may discuss in more detail in a future episode of Privacy Decrypted.  The bottom line, however, is that the world relies on HTTPS to keep us safe online, and it does a very good job at doing this.

It is worth bearing in mind, though, that security is not the same as privacy. If you wish to keep your metadata (which can reveal a huge amount about you) private then you should protect it using a VPN when you surf the web. 

Protégez votre vie privée avec Proton
Créer un compte gratuit

Articles similaires

en
People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subjec
Vos données en ligne ne sont plus seulement utilisées pour des publicités, mais aussi pour entraîner l’IA. Google utilise des informations disponibles publiquement pour entraîner ses modèles d’IA, ce qui suscite des inquiétudes quant à savoir si l’IA
iPhone stocke les mots de passe dans iCloud Keychain, le gestionnaire de mots de passe intégré d’Apple. C’est pratique mais comporte quelques inconvénients. Un problème majeur est qu’il ne fonctionne pas bien avec d’autres plateformes, ce qui rend di
Il existe de nombreuses raisons pour lesquelles vous pouvez avoir besoin de partager des mots de passe, des informations bancaires et d’autres informations hautement sensibles. Mais nous avons constaté que de nombreuses personnes le font via des appl
Les grands modèles linguistiques (LLM) entraînés sur des ensembles de données publics peuvent servir à un large éventail de purposes, de la rédaction de billets de blog à la programmation. Cependant, leur véritable potentiel réside dans la contextual
is Google Docs secure
Vos données en ligne sont extrêmement précieuses, en particulier pour des entreprises comme Google qui les utilisent pour gagner de l’argent par le biais de publicités. Cela, ainsi que les nombreuses violations de la vie privée par Google, a conduit