HTTP vs. HTTPS: One little letter can make a lot of difference
If you’ve never paid attention to the browser URL while surfing the Internet, today is the day to start. At the prefix of each website URL, you’ll usually see either HTTP or HTTPS. One shows the site you are on is secure (HTTPS), and the other does not (HTTP).
What is HTTP?
Hypertext Transfer Protocol (HTTP) is the way servers and browsers talk to each other. It’s a great language for computers, but it’s not encrypted. Think of it this way. If everyone in the world spoke English, everyone would understand each other. Every browser and server in the world speaks HTTP, so if an attacker managed to hack in, he could read everything going on in the browser, including that Facebook username and password you just typed in.
Hypertext Transfer Protocol Secure (HTTPS) is another language, except this one is encrypted using Secure Sockets Layer (SSL). Imagine if everyone in the world spoke English except two people who spoke Russian. If you happened to overhear them speaking in Russian, you wouldn’t understand them. It’s the same with HTTPS. If browsers use HTTPS to pass information, even if attackers manage to capture the data, they can’t read the information.
Does that mean HTTP websites are insecure?
The answer is, it depends. If you are just browsing the web, looking at cat memes and dreaming about that $200 cable knit sweater, HTTP is fine. However, if you’re logging into your bank or entering credit card information in a payment page, it’s imperative that URL is HTTPS. Otherwise, your sensitive data is at risk.
Watch the video response to this question below.
So it doesn’t really matter if the homepage of your favorite sweater website says HTTPS if their payment page doesn’t.SEE ALSO: The Ultimate Cheat Sheet on Making Online PCI Compliance Work for You
HTTPS isn’t entirely 100% foolproof, as the Heartbleed vulnerability proved a few years ago. The Heartbleed vulnerability wasn’t necessarily a weakness in SSL, it was a weakness in the software library that provides cryptographic services (like SSL) to applications. Still, it is estimated that half a million secure web servers were affected. Luckily, most websites have since corrected that bug.For a more complex look into how hackers use HTTP to capture data, check out this video.
When HTTPS fails
How can I make sure online information stays secure?
- As a business: Work with a third party vendor to get an SSL certificate on your login and payment pages.
- As a consumer: Don’t enter your sensitive information on pages that don’t have HTTPS.