HTTPS and why you should care

In light of our announcement about securing the site with HTTPS, I figure this might be a good time to talk about what it does, what it doesn’t do, and why you should care.  So, let’s jump into it!

Have you ever noticed how some sites have a little green lock in front of their URL?  That lock means that you’re browsing over a secured HTTPS connection!

Ok, great.  What does that mean?

If you’re shopping on Amazon, getting lost in a rabbit hole on Wikipedia, or reading up on how picking stocks is a waste of time, it’s like sending a postcard to a certain address and getting another postcard back with the webpage you want.  Over regular HTTP, what’s written on the postcard can be read by anyone who handles the postcard itself.  In the mail service, it’s not a lot of people.  On the internet, however, well…

The tracert command in Windows (traceroute in Linux) shows all the servers involved with connecting to another server. I’ve blurred out the local ISP and Datacenter servers for privacy.

Every single line is a different server that my traffic to and from a website like eff.org passes through.  Every single one of those 10 addresses before the final EFF server is a chance for someone to intercept, copy, and read your postcard.  Of those servers, I only trust #1, my home router, and #11, the actual destination server.  If you’re at work, that first stop is controlled and monitored by your company.  If you’re on an open WiFi, like at a coffee shop, the connection between you and that first line is totally free to read by anyone who’s in range of the network.  If that traffic is just some blog, then it’s arguable that you don’t need to care.  But if you’re sending important information like credit card numbers or tax information, you definitely don’t want that information intercepted by a snoop.

Going back to the postcard, imagine you and your friend came up with a secret code that only the two of you knew.  Now, you can send postcards to one another and be confident that no one else read your data in transit.  This is how HTTPS works.  Your computer and a server agree on a code through a process known as “Public Key Cryptology” to encrypt your data before it leaves so it can only be read at the destination1Coming up with a mutual code without the middlemen knowing is a difficult process, and really deserves its own blog post. Keep and eye out here for one, and check out the Wikipedia article for more details..  No more broadcasting your credit card number to everyone who sees your postcard!

So in summary: before you even type any personal information into a website, make sure that little green lock is there.

Why Joe cares

Now, moneyandmegabytes.com doesn’t ask for or send credit card info or other traditionally sensitive information.  Why did I take the time to set up HTTPS for our server?  Well, thanks to a law passed in the US on April 3 20172https://www.congress.gov/bill/115th-congress/senate-joint-resolution/34, ISPs like Comcast or Verizon can now legally do whatever they want with your traffic as long as they tell you in their privacy policy3https://www.eff.org/deeplinks/2017/03/congress-sides-cable-and-telephone-industry.  This means they can log every bit of traffic as it comes though their servers which can be used to collect and sell an enormous amount of data.  Thanks to advances in machine learning, it would not be difficult for your ISP to read through every webpage you visit and classify your interests, or worse still modify the contents of that webpage to inject their own advertisements.  They can do all this as long as they inform you in their privacy policy, which, you know, is always written in a clear, concise, and understandable manner, right?  This decision deserves a whole rant on its own, but I won’t subject you to that (just yet).  Luckily for us, none of that is possible if the ISP can’t read the contents of the traffic.  There is a huge push from activists to secure more pages with HTTPS in order to combat this affront to privacy4“Not that I’m bitter,” he said, bitterly, so I’m doing my part.

What can you do?

I’ve set up this server so that all web traffic requests for HTTP get redirected to HTTPS instead.  I’ve also set all the links and image locations on the site to connect over HTTPS.  Unfortunately, not all sites do this, even ones that have HTTPS versions out there.  That’s where the EFF and Tor Project come to save the day with their browser extension HTTPS Everywhere for Chrome and Firefox.  If you try to connect to a site with HTTPS support over HTTP, it will automatically edit the URL to request the HTTPS site instead.  I’ve been using it for years, and it’s the first extension I install with a new browser.

Limitations

Now, in order for your postcard to get to your friend, you have to have a to and from address that is readable by the post office, otherwise the message will never get to its destination.  So if someone is snooping on you, while they can’t see exactly what you’re saying to your friend, they can see that there’s a conversation happening.  Using other information like when you’re talking, or other people you sent postcards to, someone still might work out what you and your friend are talking about5Check out this article from EFF for a beautifully simple interactive graphic.

Beyond that, the HTTPS protocol is run by software, and all software has bugs.  You may have heard about the Heartbleed bug from 2014.  This was a major bug that affected OpenSSL, which is used by the vast majority of servers with HTTPS.  It allowed hackers to access anything within a server’s memory, including the unencrypted data and the codes used to read the encrypted data6https://xkcd.com/1354/.  Which is absolutely horrifying7https://xkcd.com/1353/.  It was promptly fixed, but it goes to show how even something as important to the Modern Internet as HTTPS is susceptible to mistakes.

So remember, while the little green lock in the corner of your browser is an important place to start, it’s hardly a complete solution to privacy.

tl;dr

  • HTTPS hides data you send between servers
  • HTTPS does not hide where you’re sending the data to or getting data from
  • Always check to make sure your site is secured with HTTPS before entering personal data like credit card info etc.
  • Use the HTTPS Everywhere extension from EFF
  • Your digital privacy is under attack by everyone; be vigilant!

Leave a Reply

Your email address will not be published. Required fields are marked *