Most online web traffic is now sent over an HTTPS connection, making it “secure”. In fact, Google now warns that unencrypted HTTP sites are “insecure”. So why is there still so much malware, phishing, and other dangerous activity online?
“Secure” sites simply have a secure connection
Chrome used to display the word “secure” and a green padlock in the address bar when visiting a website over HTTPS. Modern versions of Simple Chrome have a small gray padlock icon here, without the word “Secure”.
Part of that is because HTTPS is now seen as the new gold standard. Everything should be secure by default. Chrome therefore only warns you that a connection is “not secure” when you access a site via an HTTP connection.
However, the word “secure” has also disappeared because it was a bit misleading. It appears that Chrome vouches for the content of the site as if everything on that page is “secure”. But that is not at all true. A “secure” HTTPS site could be filled with malware or be a fake phishing site.
HTTPS stops monitoring and tampering
HTTPS it’s great, but it doesn’t just make everything secure. HTTPS stands for Hypertext Transfer Protocol Secure. It’s like the standard HTTP protocol for connecting to websites, but with a layer of secure encryption.
This encryption prevents people from snooping on your data in transit and stops middleman attacks that can alter the website as it is sent to you. For example, no one can spy on the payment details you send to the website.
In short, HTTPS ensures that the connection between you and that particular website is secure. No one can listen to it or alter it. That’s it.
RELATED: What is HTTPS and why should I care?
It doesn’t really mean a site is “secure”
HTTPS is awesome, and every website should be using it. However, it just means that you are using a secure connection with that particular website. The word “secure” does not say anything about the content of this website. It just means that the website operator has purchased a certificate and implemented encryption to secure the connection.
For example, a dangerous website filled with malicious downloads might be delivered over HTTPS. All of this means that the website and the files you download are sent over a secure connection, but they may not be secure.
Likewise, a criminal could buy a domain like “bankoamerica.com”, get an SSL encryption certificate for this, and mimic the real Bank of America website. It would be a phishing site with the “secure” padlock, but that just means that you have a secure connection to that phishing site.
HTTPS is always great
Despite expressions that browsers have used for years, HTTPS sites are not really “secure”. Switching websites to HTTPS fixes some issues, but it doesn’t end the plague of malware, Phishing, spam, attacks on vulnerable sites or various other online scams.
Switching to HTTP is always great for the Internet! According to Google statistics, 80% of web pages loaded in Chrome on Windows are loaded over HTTPS. And Windows Chrome users spend 88% of their browsing time on HTTPS sites.
This transition makes it more difficult for criminals to eavesdrop on personal data, especially on public Wi-Fi or other public networks. It also greatly minimizes the chances that you will encounter a middleman attack on public Wi-Fi or other network.
For example, suppose you download a program’s .exe file from a website while connected to a public Wi-Fi network. If you are connected via HTTP, the Wi-Fi operator could tamper with the download and send you another malicious .exe file. If you are connected via HTTPS, the connection is secure and no one can tamper with your software download.
It’s a huge victory! But this is not a quick fix. You still owe use basic online security practices to protect yourself from malware, spot phishing sites and avoid other problems online.
Image Credit: Eny Setiyowati/Shutterstock.com.