How do we know what’s safe on the internet or if sites are secure when we make payments or put personal information online? Today we’ll tell you what HTTPS is and why it’s different from HTTP. We’ll also answer the question “how does HTTPS work” and how it keeps you safe.
HTTP makes the internet run. Every computer and every device that goes online takes advantage of this decades-old protocol to send and receive data with servers located around the world. It’s such an intricate part of our online experience that we often forget the letters are at the beginning of every website address.
In recent years a modified version of HTTP has been gaining popularity. HTTPS secures the normally raw, open data transmitted by HTTP, allowing servers and clients to communicate with a level of guaranteed privacy. At the time of writing, over 51% of the top million websites offer a secured HTTPS version of their site, and that number is constantly on the rise. It’s great news for privacy advocates and casual web surfers alike.
The details of SSL connections and cryptography keys is enough to make anyone’s head spin. Understanding the basics of how HTTPS connections work, doesn’t take a computer science degree, however. Keep reading for a brief explanation of HTTPS and how it makes all of our online lives safer and more secure.
HTTP – How the Internet Works
To get a little more technical, HTTP transfers data using TCP (Transmission Control Protocol), another protocol that forms the foundation of the web. Data is broken into packets before being sent, each of which is stamped with your computer’s IP address, which functions a lot like a mailing address. Through HTTP sending data via TCP, your online activity gets broken down, sent into the world, then brought back and re-assembled in your web browser.
The Problem with HTTP: It Isn’t Secure
HTTP was developed in 1989 and has formed the backbone of the internet ever since. It’s fast and efficient and does its job quite well, but there’s one major shortcoming a lot of users have started to worry about in recent years.
HTTP is inherently unsecure. Everything the protocol sends and receives is done in plain text format, making it extraordinarily easy to intercept. There’s nothing built into HTTP that prevents any random computer from taking a look at what’s being transferred. It’s a lot like having a telephone conversation in a crowded room. Everybody can hear what you’re saying, all they have to do is start listening.
WORTH READING: These are the best VPNs for using Paypal securely
HTTPS: Making HTTP Secure
HTTPS works in fundamentally the same way as HTTP, but that “S” on the end makes a huge difference for the end user. The S stands for Secure, and it’s shorthand for a method of sending HTTP requests with a layer of SSL/TLS security on top, encrypting the data to prevent eavesdroppers. Even if someone intercepted packets they wouldn’t be able to break the encryption or read the information, making HTTPS an extremely effective method of securing internet traffic.
Let’s break the above statement down a little bit. TLS stands for Transport Layer Security. SSL stands for Secure Sockets Layer, which is the predecessor of TLS. Both are frequently referred to as SSL and are widely used cryptographic protocols that provide an easy method of adding encryption to a variety activities. It’s also used by VoIP programs to authenticate transmissions, web browsers to secure data, and VPNs to create makeshift network tunnels to quickly secure user traffic.
When incorporated into HTTPS, SSL acts as an encryption companion that secures and verifies everything the HTTP protocol is transmitting. SSL essentially rides along with each packet of data and decrypts it only when it reaches its intended destination. The server and the computer handle everything exactly as before, but if a third party picks up any of the packets, they won’t be able to decrypt the data.
How HTTPS Works
Now that you’ve got a basic background, let’s look at what goes on during a typical HTTPS session. The first thing that happens is establishing a secure SSL connection. This begins with a quick handshake between the client (your computer, smartphone, etc.) and the server. The goal of this is to verify each other’s identity and agree upon encryption protocols, setting things up for an impending data transmission.
If an SSL handshake were a conversation, it might play out something like this:
- CLIENT: I’m looking for Server #SS1978-IJ56. Is that you?
- SERVER: Yes. Are you the client I’m supposed to be working with?
- CLIENT: Yes. Let’s use Encryption Method 742 to chat.
- SERVER: 742, no problem.
The handshake serves as a brief introduction. No data is transmitted during this process, it’s just a quick superficial nod to make sure both parties are who they should be. The next part of the process is where the server and the host verify their identities and actually start exchanging information. This is still just the SSL part of the interaction, by the way. HTTP is waiting to do its job once SSL gives it the go-ahead.
After the handshake, the following steps take place, in order:
1. Greeting – This phase is somewhat similar to the handshake, only now that the client/server identities are established, they can actually send data to each other. Verification begins with the client sending the equivalent of a hello message. This encrypted message contains all the information the server will need to communicate with the client via SSL, including encryption keys. The server then sends its own hello message back, containing similar information the client needs in order to hold up its end of the communication.
2. Certificate swap – Now that the server and client are ready to communicate securely, they need to verify their identity. This is a crucial step that ensures third parties can’t pretend to be the intended server, which is what keeps encryption keys out of their hands. This is accomplished through an SSL certificate swap between the client and the server, roughly the equivalent of showing someone your ID in real life. SSL certificates contain data like the party’s domain name, its public key, and who owns the device. These are checked against a centralized Certificate Authority (CA) source to make sure it’s valid. CAs issue these certificates, which helps keep them out of malicious third party hands.
3. Key swap – Everyone knows who everyone else is, encryption protocols have been agreed upon, so it’s finally time to get started. The key swap begins with the client (your device) generating a cipher key to use in a symmetrical algorithm. This means the encrypted data can be unlocked and fully accessed by anyone with the key, hence the symmetry. Since the key styles were agreed upon during the verification phase, all the client has to do is share the key and the two parties can communicate efficiently and securely.
All of these phases with SSL verification and data swapping seem like a lot of extra steps, but they’re crucial to establishing a secure connection between the right computers. Without verifying identities, other computers can steal data and decrypt it. Without verifying encryption methods, other computers can share fake keys and gain access to data. Only with all of these pre-sharing steps can the HTTP transfer take place securely.
Once the SSL portion of the transfer takes place, HTTP steps in and does its thing. Here data is broken into packets, labeled with your IP address, stuffed inside the SSL envelope and sent along their way. SSL ensures only the client and the intended server can read the information being sent. The process is completed thousands of times for each request, and it happens in a fraction of a second.
ALSO READ: How to pretend you’re in a different country by changing your IP address
HTTPS in Your Browser
You’ve probably seen your browser display a little padlock icon in the URL bar from time to time. This simply means the site is secured with HTTPS. It normally happens with sites that legitimately collect private data, such as credit card information for online shopping, passwords for checking your e-mail, or anything involving banking or financial transactions. More and more websites are using HTTPS these days, however, which is great for online privacy in general.
HTTPS is done on the server’s side. In other words, you can’t force a site to use HTTPS if its servers aren’t set up to handle it. Many websites will only switch to HTTPS if your browser specifically demands it, and others will load unsecured content within HTTPS pages, which defeats the purpose entirely.
There’s a fantastic browser extension called HTTPS Everywhere that alleviates a lot of the above issues. The plug-in rewrites your browser requests to use HTTPS whenever it’s available. It can’t create a secure connection where none exists, and it doesn’t encrypt anything itself, but HTTPS Everywhere ensures you always take advantage of the extra security whenever possible.
VPN Encryption versus HTTPS
The word “encryption” is used a lot these days. At its core, encryption refers to using cryptography to generate incredibly complex mathematical puzzles that lock information packets in an unbreakable box. That box can only be opened with an equally complex cipher key, which is generated when the data packets are encrypted in the first place. There are a number of different encryption processes used in the modern internet, but the basic idea behind them is roughly the same.
Virtual private networks are always discussed in relation to the encryption they provide. In short, a VPN runs on your local device and encrypts everything before it’s sent through the internet. Data packets are unreadable as they travel to your ISP and to the VPN’s servers. At this point your local IP address is removed and replaced with an IP address associated with the VPN. The VPN carries out the data request on your behalf, then returns the information to your computer. The entire process takes place under the protection of encryption, and it also removes identifying data so it’s impossible to trace activity back to your computer.
HTTPS protocols and virtual private networks may sound similar, but in reality they’re two different technologies that attack the same problem from different angles. VPNs secure all traffic between your computer and the internet. They also anonymize data to make it harder to trace your online activity. HTTPS only secures traffic between one website and your computer, with no measures taken to add anonymity. Even if you’re accessing a site secured with HTTPS, a VPN offers extra features to keep your data safe.
How to Choose a Secure VPN
HTTPS does an amazing job securing the connection between your device and a single website. Not all sources are protected by this server-side encryption, however, and even when they are there’s a chance an unsecured link can find its way into the site and threaten your privacy. To keep your online activity secure, you should always use a VPN.
Choosing the right VPN seems like a complicated process. There are all sorts of features to compare, prices to consider, encryption strengths to contrast, and so on. Below are some of the criteria to focus on when researching the best VPN for secure online browsing. We’ve also included a few recommendations to help get you started.
Encryption strength – The complexity of a VPN’s encryption protocols can make a big difference in your privacy. Most providers deliver 128-bit or 256-bit AES encryption, which is perfect for almost all online activities.
Logging policy – All of your traffic passes through a VPN’s servers. If the company keeps detailed logs, there’s a chance your data could be given to a third party or government agency. The best VPNs have strict zero-logging policies that keep your info safe no matter what.
Software support – To take advantage of a VPN, you need to run it on every device that connects to the internet. Most VPN services offer custom software for smartphones, tablets, laptops, and everything in-between. Make sure your devices are covered before signing up.
Speed – A downside to encryption is that it adds data to each packet of information, effectively slowing your connection. The best VPNs work around this limitation to provide fast downloads without sacrificing privacy.
ExpressVPN focuses on delivering incredible speeds to users around the world. Encryption often slows down VPN connections, and having servers located far from your home can increase lag. With ExpressVPN, both of those issues are minimized thanks to blazing fast hardware and a server network distributed across the globe. When coupled with unlimited bandwidth and no speed caps or throttling, you’ve got an incredible recipe for a strong and reliable VPN.
Other features from ExpressVPN:
- Easy to use custom apps for Windows, Mac, Linux, Android, iOS, and more.
- Great access to Netflix, even when other VPNs are blocked.
- Over 145+ VPN locations in 94 different countries.
- DNS leak protection and an automatic kill switch.
- Great for bypassing censorship in countries like China.
Read our full ExpressVPN review.
- SPECIAL OFFER: 3 months free (49% off - link below)
- Fast serves with minimal speed loss
- Very simple and easy to use
- No personal information logs kept
- 24/7 Live Chat.
- Slightly pricier than competition.
NordVPN is an incredibly reliable VPN with two outstanding features: a large server network, and lightning fast speeds. NordVPN operates over 5,100 servers in 60 different countries, twice the size of most VPNs. This gives you a wide variety of options for selecting out-of-country IP addresses to access geo-restricted content. You’re also guaranteed a fast connection with NordVPN’s network, even if you take advantage of their unique double encrypted servers.
A few of NordVPN’s best features:
- Incredible zero-logging policy covers everything from traffic to bandwidth, IP addresses, and time stamps.
- Strong privacy features allow open access to the internet even in countries like China.
- Double encryption servers that wrap all data in 2048-bit SSL encryption.
- One of the best VPNs to access Netflix with.
Read our full NordVPN review.
- Highly affordable plans
- 5,400+ servers globally
- Strong encryption is used on all connections
- Extra-secure Double VPN for data encryption
- 24/7 Customer Service.
- Refund processing can take up to 30 days.
Stopping censorship and providing user security are two of IPVanish’s biggest features. The service works to protect your privacy by delivering 256-bit AES encryption with all of its 1,300 servers in 60 different countries, adding in a thorough zero traffic logging policy to boot. You’ll always be able to find a reliable, fast connection with IPVanish, and with over 40,000 IP addresses to use, you’ll be able to bypass censorship filters and firewalls with ease.
IPVanish also comes with the following features:
- Incredibly easy to use software for PC, laptops, smartphones, Chromebooks, and tablets.
- Unlimited bandwidth, no speed caps, and no restrictions on P2P or torrent traffic.
- Secure, fast, and anonymous downloads ideal for torrent and Kodi users.
Read our full IPVanish review.