You may have noticed that over the past few months more and more websites have started to use HTTPS, the secure version of the communications protocol HTTP, for all of their pages. In Google’s Chrome browser, sites not using HTTPS now include an “information” icon next to address which states “Your connection to this site is not secure. You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.” Sites with HTTPS implemented have a green padlock with the word “Secure” next to it, and banks and other websites that use an extended validation certificate have a large green block with the name of their website in it.
What does HTTPS mean?
The main purpose of HTTPS is to encrypt the data sent between your browser and the website origin server, meaning that while hackers could see your connection with the website, they would not be able to see what pages you were visiting or read what information you were entering on the website (such as passwords or credit card numbers). HTTPS also ensures that visitors are going to the correct website by validating its SSL certificate, and are not visiting a site that is falsely identifying itself in order to steal sensitive information or, in the case of media sites, spread false information.
How Public Key Encryption Works
So how does HTTPS actually work to encrypt your information? It relies on a layer of SSL/TLS encryption (TLS being the newer and more secure technology), which uses authenticity certificates and public and private keys to establish a secure session between the browser and web server. This public-private key encryption uses unique keys to encrypt and decrypt data passing between a website server and browser, meaning that any content sent between a browser and the web server cannot be read by a third party that intercepts that data without the appropriate key. With modern TLS cipher suites that exhibit forward-secrecy, even a 3rd party that obtains the private key after the conversation is complete is unable to decrypt the data.
In public key encryption, the web server holds two paired keys that can be used to encrypt and decrypt information. The server keeps the private key and does not share it, while the public key is sent to every user that attempts to securely connect with them through the SSL/TLS certificate. Through the use of a “SSL handshake” the server sends the user the public key, opening up a secure channel by which the user can encrypt messages that can only be decrypted using the paired private key. This paired key system means that even if a malicious third party intercepts the key exchange process, since the private key is never shared they would be unable to decrypt messages. With modern TLS cipher suites that exhibit forward-secrecy, even a 3rd party that obtains the private key after the conversation is complete still cannot decrypt it.
The SSL/TLS certificate also authenticates that the browser and server are who they say they are: If a user is attempting to access the New York Times website, the certificate validates that the server’s SSL/TLS certificate has the New York Times as its owner. Extended Validation Certificates take additional steps to ensure the validity of the certificate owner and are used by entities such as banks, however the encryption process used once the handshake is complete is identical to those with standard SSL/TLS certificates.
Get included SSL/TLS Certificates with section.io
section.io provides all users with a SSL/TLS certificate for no additional cost, and we manage that certificate to ensure it never expires leaving websites vulnerable. To learn more about how section.io improves website security for all users, please contact us.