Proton

HTTPS is the backbone that keeps everyone safe and secure on the internet. However, it does little to prevent you from being tracked online.

When you surf the web, you connect to websites using the Hypertext Transfer Protocol (HTTP), first developed by Sir Tim Berners-Lee (who is now a member of Proton’s advisory board).

Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP, using the TLS encryption protocol to secure web connections. It is the cornerstone of all security on the internet, making possible much of what we take for granted being able to do on the internet.

This includes securing all financial transactions, such as making online purchases and managing your bank account online.

It wasn’t long ago that most of the internet was terrifyingly insecure, with most websites using simple HTTP. However, thanks in large part to the not-for-profit Let’s Encrypt(nuova finestra) project, which started in 2015 and has now issued free HTTPS certificates to over 265 million websites(nuova finestra), use of HTTPS websites is now almost ubiquitous.

HTTPS is most often associated with ensuring that browser connections to websites are secure, and, for simplicity, in this article we shall discuss it in this context. However, HTTPS is also used by mobile apps to secure the connection to their backend servers.

What does HTTPS secure?

HTTPS secures the connection between your browser and a website. If you visit a website using regular (non-secure) HTTP then your ISP can see everything you do on that website — which individual pages you visit and any data you input (such as your credit card details when making a payment).

Because all data transferred between the website and your browser is unencrypted, it can be intercepted and read by criminal hackers, government agencies, or anyone who cares to look. 

If a website uses HTTPS, all of this information is hidden from your ISP. All it can see is that you have visited the website — not what you do on it. And because the connection between your browser and the web server is encrypted, your data is secure against third parties. Thanks to the widespread uptake of HTTPS (see below), it is now usually safe to use public WiFi hotspots without the need for a VPN. 

The website owner, of course, can see what you do on their own website, and (unless you take steps to prevent it, such as using a VPN(nuova finestra) to hide your real IP address), will know who you are.

What HTTPS does not hide from outside observers is that you have visited a website (or used an app), when you visited it, how often you visited it, or how long you stayed on that website. In other words, it does not prevent the collection of metadata. 

This is important from a privacy perspective, as it does not take a genius to guess the political affiliation of someone who regularly visits gop.com(nuova finestra), the sexual orientation of someone who uses the Grindr app, or that someone who visits maternity websites is likely to be pregnant. This is true regardless of the fact that whoever is watching doesn’t know what the visitor does once on those platforms.

So it can be said that HTTPS keeps you secure online, but it does little to protect your privacy (again, this is something a VPN can help with). 

Learn more about the difference between anonymity, security, and privacy

How to tell if a website uses HTTPS

All browsers implement a security measure that allows you to check, at a glance, if the website you are visiting secures the connection using HTTPS. Simply look for the closed lock icon in the URL bar. For example:

Chrome desktop showing that a wesite is protected with HTTPS(nuova finestra)
Chrome browser on the desktop showing that a website is secured using HTTPS
Firefox for Android showing that a wesite is protected with HTTPS(nuova finestra)
Firefox browser for Android showing that a website is secured using HTTPS

Browsers will also clearly show when a website is not secured by HTTPS. For example:

Chrome desktop showing that a website is not protected with HTTPS(nuova finestra)
Chrome browser on the desktop showing that a website is not secured using HTTPS
Firefox for Android showing that a website is not protected with HTTPS(nuova finestra)
Firefox browser for Android showing that a website is not secured using HTTPS

How does HTTPS work?

HTTPS secures the connection between a web browser and a web server with TLS encryption. 

The actual encryption algorithms used are negotiated between the web server and the client (browser). Most browsers allow you to click or tap on the lock icon to learn more security details about the encryption algorithms used for the HTTPS connection.

Chrome browser for Android

HTTPS uses the X.509 Public Key Infrastructure (PKI) to negotiate a new connection. This is an asymmetric encryption system that uses public key cryptography to secure the key exchange. That is, the web server presents a public key, which is decrypted using a browser’s private key.

To ensure your browser is connecting to the server it thinks it’s connecting to (and thus preventing man-in-the-middle attacks), X.509 uses HTTPS certificates. These are small data files that digitally bind a website’s public cryptographic key to an organization’s identity.

HTTPS certificates are issued by a Certificate Authority (CA), an organization that has (at least in theory) verified that it can be trusted to only issue certificates to valid organizations. Whether a browser accepts the HTTPS certificates issued by a particular organization depends on the browser developers.

As of mid-2020, Mozilla Firefox accepted certificate issues by 52 Certificate Authorities, macOS (and therefore Safari) recognized 60 CAs, and Microsoft Windows (and therefore Edge Chromium) 101 CAs.

Learn more about TLS encryption

Is HTTPS secure?

Yes. HTTPS secures every one of the millions of financial transactions that occur every minute around the world. If HTTPS weren’t secure, there would be a global meltdown. 

This isn’t to say there are no issues with the standard. CAs can be (and have been(nuova finestra)) pressured by governments to issue HTTPS certificates to dubious websites, or can be hacked by criminals to issue fake certificates.

Research has also suggested that in a highly targeted attack, it might be possible to use HTTPS traffic analysis(nuova finestra) to uncover the individual web pages a target visits on HTTPS-secured websites. 

Since the encryption used is negotiated between the client and the browser, it’s also important that both of these are running up-to-date software. 

These are issues we may discuss in more detail in a future episode of Privacy Decrypted.  The bottom line, however, is that the world relies on HTTPS to keep us safe online, and it does a very good job at doing this.

It is worth bearing in mind, though, that security is not the same as privacy. If you wish to keep your metadata (which can reveal a huge amount about you) private then you should protect it using a VPN when you surf the web. 

Articoli correlati

Investigative journalist Vegas Tenold explains the gear he uses to protect his privacy and stay safe.
en
  • News sulla privacy
Follow investigative journalist Vegas Tenold as he explains his gear and how it keeps him safe from surveillance as he works in the field.
Coinbase, the largest Bitcoin exchange in the US, suffered a data breach
en
  • News sulla privacy
  • Proton Wallet
Coinbase employees sold sensitive personal information to attackers, including government IDs and BTC transaction history. Proton Wallet is built to avoid these risks.
Whistleblower's whistle. Journalists must use secure channels to communicate with whistleblowers.
en
Whistleblowers risk everything to expose the truth. This guide helps journalists keep their sources safe using secure tools like Proton Mail, Signal, and SecureDrop.
An image showing a phone screen with a child icon and three icons with '17+' '8-12' and '3-5' to indicate age ratings
en
  • Guide sulla privacy
Parents can help their children develop healthy screen habits by learning about dark design patterns — Proton investigates how
en
Read what age experts say you should let your child use different platforms and how you can help set them up for success.
Roblox has been accused for years of exposing kids to inappropriate content and bad actors. We describe its safety features
en
  • Guide sulla privacy
Roblox has suffered scandals over inappropriate content. We share what you need to know and what you can do to use it more safely.