Security photo
SHARE
Internet

Code

HTTPS makes a difference in who can see data about your web surfing.

It has probably been a while since you typed “http” in front of a URL to cruise around the web, but those simple letters are still crucial to your experience on the internet.

That familiar abbreviation stands for Hypertext Transfer Protocol, and it’s the system that helps bring all that sweet content from the web down in front of your eyeballs. It’s the protocol that enables us to interact with the World Wide Web. Unfortunately, it can also provide an opportunity for bad people to inject all kinds of shenanigans into the browsing process, from secretly sending bad software to your machine to tricking you into looking at a site that’s not what it claims, like imitating your bank’s website, for example, and getting you to enter your username and password

So why do you see the “S” at the end of it sometimes? HTTPS is a secure version of the HTTP protocol. It has become the standard on the web, and now companies like Google are giving it a push for total internet saturation. Late last week, Google announced that its Chrome browser will label any site using HTTP as “not secure” in an effort to push consumers and site creators toward a safer internet experience.

Google HTTPS

Google HTTPS Chrome

Google will go beyond denying HTTP sites the green lock icon and explicitly label them “not secure” starting in July.

What do HTTP and HTTPS actually do?

Hypertext Transfer Protocol is the way in which your web browser (like Chrome or Safari, which are both applications) sends a request for content to a web server. It’s how an app like Chrome can request specific content for a web page like the one you’re reading right now. HTTPS is a secure version of the protocol that encrypts data flowing to and from your web browser. “HTTP is data transfer on the web,” says Emily Schechter, product manager for chrome security team. “It’s what’s going back and forth over the lines.”

How is HTTPS more secure?

The primary benefit of HTTPS comes from encryption. Observers can’t see the content of the information as it moves between the application and the web server. So, it’s a basic layer of privacy between your data and the outside world.

This also ensures that the information isn’t modified or corrupted in transit without detection. So, if an internet service provider tries to sneak some malicious code in with the content you requested, the browser will notice. Finally, it stops what are typically called “man-in-the-middle” attacks, in which a third party sneaks in between the browser and the server and replaces the data with other, typically harmful data.

By encrypting the data transferred between your machine and the web server, HTTPS makes sure that the site you’re viewing adds a basic layer of security.

Even if you’re not sending sensitive data like personal info and passwords to a HTTP site, it’s still possible for outside observers to look at aggregate browsing data of the users and “deanonymize” their identities by analyzing behavior patterns.

How does a site get the HTTPS designation?

“Unfortunately, it’s not trivial,” says Schechter, “which is why it hasn’t happened automatically. Google has a site with specific instructions about how to switch to HTTPS by obtaining a security certificate.

If you’re an individual or a business and you have a site through one of the big site providers like Squarespace or Wix, they will handle most of the process for you. Even old sites on those services can typically switch a simple setting in order to enable the secure version.

What should you do if you find a site that isn’t HTTPS?

Schechter suggests you don’t send sensitive data over the connection in case someone is snooping on it. Google says between 70 and 82 percent of the sites Chromes users interact with on computers use HTTPS. That number is around 70 percent for mobile users.

Other browsers are taking a similarly hard stance against sites that might expose user data. Firefox indicates that a site isn’t secure when it requires users to submit passwords.

So, while you don’t have to type the HTTPS anymore in your browser, that extra “s” will play an important part of your life on the web going forward.