The picture shows what happens when you want to read a new Sunday comic strip or connect to your online banking or any other web service.
The first thing your or mine computer will do is to go to a “Yellow pages” service (domain name server – DNS) to find out what is the address of the website you want. This service will take a web-site name- let’s say enigmabridge.com, and return its address, e.g., 188.8.131.52.
The computer will then use the address to connect to the server so you can get on with your life.
The problem is that the internet founders didn’t expect there would be people trying to build fake “yellow pages” services to direct users to malicious web sites to:
- collect our passwords;
- harvest your credit card numbers;
- read your emails; and
- generally cause frustration, annoyance and embarrassment.
Initially, one needed technical (hacking) skills to attack the “yellow pages” servers but there are automated tools to do the hard work for you. We do not want this to happen.
There are several ways how to protect users and one of them is HTTPS.
You can see that HTTPS makes everything much more complicated – that is the first thing. Things in the upper half of the image happen out-of-band and they are invisible for us – users.
HTTPS will not prevent your computer to be directed to the fake website – you can see on the picture that you will talk to the wrong server. That is the important issue.
The most fragile part of HTTPS is the fact that I/you, as users of the internet have to check whether we connect to a genuine website or not. This has been a pain for many years but web browsers got really much better now and some will not even let you open a website with incorrect “Identity certificate”. However, they will let you connect to servers without HTTPS – servers that speak only with the basic HTTP language.
So is HTTPS really a silver-bullet solution? There is no such thing but it is worth the effort once we have put more than a couple of hours into the content and setup of the web site.
User point of view
If you are aware of the green pad-lock or green bar in your browser than it makes the internet much more secure for yourself. Any attacks on the “yellow pages” service or other attacks luring us, users, into visiting suspicious web sites are much more difficult.
Another advantage of HTTPS is that it protects the data we send to / from a web site so that no-one can read it if we’re connected through insecure connection (WiFi in a cafe, friends’ guest network, work network, and so on). It is still possible for bad guys to find out which web site you’re visiting though!
Web site owner point of view
HTTPS will help to your web-site to stand out from the crowd – definitely if you run small and medium sized service.
Setting up HTTPS is pretty technical, although some hosting companies offer packages where they help you set it up. We still have to do some additional tasks to get it right.
Enigmabridge.com has developed a new cloudHSM-based service that makes setup of a new HTTPS server possibly a one-click exercise, taking care of all configuration complexities.
Once you become serious about your on-line activity and start thinking about quality of service, recovery from technical incidents and compromises, things are much more complicated.
HTTPS depends on the security of digital keys and their security is a completely different topic.