Most web traffic online is now sent over an HTTPS connection, making it ‘secure’. Google now even warns that unencrypted HTTP sites are “Not secure.” So why is there still so much malware, phishing and other dangerous activity online?
‘Safe’ sites simply have a secure connection
Chrome used to display the word “Safe” and a green padlock in the address bar when you visited a website with HTTPS. Modern versions of Chrome Simple have a small gray lock icon here, without the word ‘Safe’.
That’s partly because HTTPS is now considered the new baseline standard. Everything should be secure by default, so Chrome only warns you that a connection is ‘Not secure’ when you access a site over an HTTP connection.
However, the word “Secure” has also disappeared because it was a bit misleading. It sounds like Chrome is responsible for the content of the site as if everything on this page is ‘safe’. But that’s not right at all. A ‘safe’ HTTPS site can be malware-filled or a fake phishing site.
HTTPS stops snooping and tampering
HTTPS is great, but it doesn’t just make everything secure. HTTPS stands for Hypertext Transfer Protocol Secure. It’s like the standard HTTP protocol to connect to websites, but with a secure encryption layer.
This encryption prevents people from snooping for your data in transit and stops man-in-the-middle attacks that can change the website as it is sent to you. For example, no one can rummage through payment information that you send to the website.
In short, HTTPS ensures that the connection between you and that specific website is secure. No one can eavesdrop or tamper with it. That is it.
RELATED: What is HTTPS and why should I care?
This doesn’t really mean a site is ‘safe’
HTTPS is great and all websites should be using it. However, it means that you are using a secure connection to that particular website. The word ‘Secure’ says nothing about the content of that website. It just means that the website administrator has purchased a certificate and set up encryption to secure the connection.
For example, a dangerous website full of malicious downloads can be delivered over HTTPS. All of that means that the website and files you download are sent over a secure connection, but they may not be secure.
Likewise, a criminal could buy a domain like “bankoamerica.com”, get an SSL encryption certificate for it, and imitate the real Bank of America website. This would be a phishing site with the “secure” padlock, but that just means that you have a secure connection to that phishing site.
HTTPS is still great
Despite the wording browsers have been using for years, HTTPS sites are not really ‘safe’. Websites switching to HTTPS help solve some problems, but it doesn’t end the scourge of malware, phishing, spam, attacks on vulnerable sites, or various other online scams.
The shift to HTTPs is still great for the web! According to Google statistics, 80% of the web pages loaded in Chrome on Windows are loaded via HTTPS. And Chrome users on Windows spend 88% of their browsing time on HTTPS sites.
This transition makes it more difficult for criminals to eavesdrop on personal information, especially on public Wi-Fi or other public networks. It also significantly minimizes the chances of you encountering a man-in-the-middle attack on public Wi-Fi or any other network.
Suppose you download the .exe file of a program from a website while connected to a public Wi-Fi network. If you are connected to HTTP, the Wi-Fi operator can manipulate the download and send you another malicious .exe file. If you are connected with HTTPS, the connection is secure and no one can change your software download.
That’s a huge win! But it is not a panacea. You still need to use basic online security practices to protect yourself from malware, detect phishing sites, and avoid other online problems.
Image Credit: Eny Setiyowati / Shutterstock.com.