The HTTPS protocol encrypts the connection between your browser and the website you are visiting. But what is protected, and what isn't? In other words, can you sleep soundly now, or do you still have to watch out when you are browsing?
What is HTTPS?
The transfer of data between your browser and the website you are visiting is done using the http-protocol (hyper text transfer protocol). HTTPS is an extension that sets up a TLS connection to transmit HTTP-traffic in encrypted form.
The TLS-protocol uses certificates to authenticate the exchanged data and to guarantee privacy.
When you visit a website, your browser will verify the website's certificate with a Certificate Authority. This way you can be sure that the found server is indeed the one it claims to be (authentication).
Then the "handshake" is started, a procedure in which your browser and the server agree what kind of encryption they will use. As of then, the communication between both parties is encrypted (encryption).
As website holder: how do you apply HTTPS, and what are the advantages?
To offer HTTPS, you need an SSL-certificate. Request this: you can choose for a free Let's Encrypt Certificate or a paying certificate of a Certificate authority. Following approval and awarding of the certificate, you install it on your server.
An HTTPS-connection for your website:
- strengthens confidence in your website in terms of security (online payments, secure login) and protection of privacy.
- improves the SEO or Search Engine Optimisation: Google gives websites with HTTPS a higher ranking in the search results, including 'normal' websites, where no purchases or financial transactions take place.
- prevents broken transactions: the Firefox and Chrome browser warn the user when they enter data into a web form on a non-HTTPS page. The alarmed user will usually interrupt the interaction immediately!
Don't forget to add a CAA record to the DNS configuration of your domain name: this indicates which certificate authority may grant certificates for that domain name. Ask your provider or hosting company to guide you through this procedure.
As a user: how do you recognise HTTPS, and what are the advantages?
Your browser (Firefox, Edge, Chrome, Safari, etc.) will notify the presence of HTTPS with a symbol. This varies depending on the browser and whether or not you are surfing on a mobile device: a closed lock, the word 'secure' in the address bar, etc.
If you open a website that does not offer HTTPS, but does ask for an interaction that should normally take place in a secure environment (entering a web form, logging in with a password, etc.), you will receive a warning.
An HTTPS-connection offers the following protection:
- Confidentiality and integrity: the connection between your browser and the server on which the website is located is encrypted. The exchanged data cannot be intercepted or modified. This is very important for online banking or online purchases and payments, etc. For example, if you are surfing in a coffee bar with an open WiFi connection, third parties will not be able to put fake links or malware in the content.
- Authenticity: you can use the certificate to check if the website you are visiting is authentic.
Attention: HTTPS does not protect you against all dangers!
Belgian users are familiar with HTTPS meanwhile. They recognise an encrypted internet connection and realise its importance. This is evident from the market survey that DNS Belgium commissioned from InSites Consulting at the end of last year: the average Belgian bases his/her confidence in a website mainly on the presence of HTTPS (45%).
However, this creates a false feeling of security. Because HTTPS guarantees that the connection to the website is secure, but does not give any assurance about the reliability of the website.
Most SSL-certificates, on which an HTTPS-connection is based, only ensure that an encryption key is delivered to the server. Your browser also only checks for the presence of that key.
Only the (more expensive) Extended Validation (EV) certificates, which DNS Belgium also uses, provide a guarantee of the applicant's identity, for example via the trade register. However, this says nothing about the content of the website itself.
Cyber criminals therefore gratefully exploit this false sense of security. Increasingly, they ensure that the website, which they use in a phishing attack, for example, also offers an HTTPS-connection. Cyber criminals expect visitors to be reassured by the symbol that the browser displays when it recognises an HTTPS-connection.
Bear in mind: the closed lock in your browser which confirms an HTTPS-connection does not protect you against a phishing attack or other forms of fraud. Always be on your guard, and think carefully before you click on a link in an email!