With all the cybersecurity reports that we hear about lately, increasing our awareness and knowledge of online security raises higher on the task list. Unfortunately, by using crazy acronyms and fancy words cybersecurity experts do not make it easy for normal people to understand online security. Hence, I thought, a series of posts that explain the online security concepts can be beneficial not only for normal people but also for some IT professionals.
In this post, I would like to explain the basics of secure communication on the Web and the terminology around them as well as give you some guidance why you should communicate securely on the Internet.
Let’s start with the acronyms and some terminology:
- A protocol is a procedure or sequence of steps used to communicate over the Internet (or in general). For example, it is a “protocol” when you introduce yourself in a business meeting in Western countries to 1.) say your name 2.) do a handshake and (optional) 3.) hand over your business card.
- HTTP stands for HyperText Transport Protocol and is the main protocol used for the exchange of information on the Web. Note that the Web is not the Internet! Although more and more of the communication on the Internet goes over HTTPS, there are other applications on the Internet (like email for example) that do not use HTTP as a protocol for communication. Data sent over HTTP is not secure and everybody who can sniff (listens) to your traffic can read what you are exchanging with the server. It is like chatting on the street with your friend – everyone passing by can hear and understand what you are talking about.
- HTTPS stands for Secure HTTP (or also called HTTP-over-SSL, which is the correct name) and is (as the name implies) the secure version of HTTP. Data sent over HTTPS is encrypted and only the sender (your browser) and the receiver (the server) can understand. It is like chatting on the street with your friend but in a language that two of you have invented and only you two can understand. Keep in mind that everybody else can still hear you. If you don’t want everybody else to understand what you are talking about, you use this language.
- SSL stands for Secure Socket Layer and it is used to secure the communication for many different protocols on Internet (not only HTTP, which is used for browsing). Using the street chat analogy, imagine that instead only you and your friend, you have two more friends with you. You (HTTP) whisper a message to one of your friends in plain English but only she can hear it. She (SSL) then uses a special language that she and the second of your friends have invented (and only two of them can understand! Note that even you don’t understand the language they are speaking) and communicates your message to that second friend of yours (SSL again). The second friend then translates the message from the special language into plain English and then whispers it to your third friend (HTTP) so quietly that only he can hear. Here a visual of that process:
- TLS stands for Transport Layer Security and it is the new, better, more secure, more advanced (and many more superlatives you will hear) version of SSL.
From the explanations above, it may be obvious to you why you should use HTTPS when you browse the Web but if it is not, think about the following. Sites are collecting all kind of information about you. They use it to provide more targeted information (or advertisement) but they also integrate with third-party sites including advertisement sites, Facebook, Twitter, and Google (the latter may also be used for authentication purposes). The information they collect includes but is not limited to things like your location, IP address, browsing patterns, laptop details and quite often information that is used to automatically sign you into certain services. This information is automatically exchanged between your browser and the website you are visiting without your knowledge. Thus, if the website you are visiting doesn’t use HTTPS protocol, your information will be easily readable by every hacker that monitors your Web traffic.
If you own a website, you should care even more about HTTPS and make sure you configure your site to use only the HTTPS protocol for communication. The reason is that the browser vendors are starting to explicitly notify users if the site they are visiting doesn’t support HTTPS and mark it as insecure. In addition, Google will start ranking sites that do not support HTTPS lower in their search results, which may have a significant impact on your business.
With this, I hope you understand the importance of HTTPS and the implications of not using it. In the next post, targeted more to IT professionals and software developers, I plan to go more technical and explain how the TLS encryption works.