I wanted to run-down a quick analysis on our recent obsession with that green padlock that gives us the warm and fuzzies all over. What exactly is it; what exactly does it mean; what exactly does it do?
When you see https (Hypertext Transfer Protocol Secure) alongside a solid padlock with no error messages in the URL bar, it means that the page, its contents, and external resources (if any) are all properly being served encrypted over SSL (Secure Sockets Layer), which requires a specially purchased and installed SSL certificate.
In layman’s terms, what exactly is it doing? When you enter your credit card number or password on a website, it’s helping to keep that data safe and hidden from snoops in between yourself and the intended recipient. Did you ever pass notes in class? Maybe you and your friend came up with your own secret language so that people passing along the note in the middle weren’t able to read the note, or even the teacher if they snatched up the note. That’s the gist of it in a nutshell.
To further simplify the purpose of running pages over https, here’s a real-world example (the most practical example I can think of actually): you go to your local Starbucks, McDonald’s, whatever, and because you’re a naturally-trusting person, you hop on their free WiFi (which stands for nothing by the way) none the wiser to log into and browse your favorite websites.
In that same Starbucks or McDonald’s could be a malicious person “listening” or “spying” on wireless internet traffic (essentially the equivalent of the pre-internet bad guy who would drive around stealing people’s mail). Even worse, that bad guy doesn’t even necessarily need to snatch your private info out of the air, he might just set up his very own WiFi hotspot, naming it most likely the same name of the store you’re in and either not password-protecting it at all, or simply making it the same password as the establishment you’re in, making it nice and easy for you to connect to it and feed him your data directly.
Now, all he has to do is quietly sit there for a few hours, minding his own business, drinking coffee, and collecting all the info he can from unsuspecting comers and goers. All it takes is for you to log into a website through one unencrypted page and he’s likely just captured your plaintext password. Since most people use the same password on multiple sites, he can now begin making his way through wreaking havoc on your accounts or quietly stealing your sensitive info or even your identity.
How does encryption help prevent this? Well, it doesn’t prevent someone from snooping and capturing your data. The only difference is now the collected data is encrypted, making it hopefully near-impossible to decrypt, ultimately making the data useless.
Outside of protecting against such man-in-the-middle attacks, I can’t think of much else it can protect, certainly not as much as some might believe it protects. It might be more meaningful to say that:
The “S” in https Stands for Superficial
SSL does not protect against hacking; SSL does not protect against bugs or broken code; SSL, contrary to popular belief, actually does not mean you can trust sites who use it any more than those who do not. In fact, there is no reason to think that the bad guys wouldn’t or couldn’t use SSL like any other website.
However, and not used my most websites, there are Extended Validation certificates that can help that latter issue a bit more as it’s a more rigorous identity verification process. Although, by no means would I say that a scammer couldn’t pass an EV, I would just say it would be very unlikely to see it happen. After all, it’s important to remember that any security measure is nothing more than a deterrent. Nothing is 100% safe. Here’s an example of a site using EV. You can be pretty confident that sites using EV are legit.
So, what’s the https craze really about? Mostly, it’s the psychological (but completely superficial) benefits. When your users, customers, readers, whatever, see that padlock, they’ve been conditioned to instill more confidence in your company overall. They’re more likely to register with you or make a purchase.
Additional factors include, but are not limited to, the fact that it’s been confirmed to improve SEO, that it’s now much easier to install SSL, that SSL certificates are much more affordable, that internet speeds are much faster (pages over https run a bit slower), and bottom line, it’s a trend. Part of that trend is to, unlike the past, instead of just encrypting the specific pages that needed it like login pages and store checkout pages, to just encrypt the entire site by default.
I just recently moved this very blog over to https://bryanhadaway.com/, and while it’s clear from the above analysis, that I’m fully aware of the lack of substance the change really makes, all the same, I like it. It gives me that irrational warm and fuzzy feeling.