HTTPS: The S is More Than Just a Letter

• February 5th, 2014
Mobile Security, Online Privacy, PC security

Anyone who has ever used the Internet has looked up at their browser’s address bar and noticed a series of letters that either looks like this ‘HTTP’, or like this ‘HTTPS’. At first glance, it may seem like it’s just the letter S. In reality though, it is much more complicated than that.

HTTP stands for Hypertext Transfer Protocol (HTTP), a communication protocol that forms the foundation of the Internet. When you enter the URL you want to visit into the address bar of your Web browser, a HTTP command is sent to the relevant Web server instructing it to deliver a particular Web page.

The first documented version of the protocol was released in 1991. As work on the protocol continued, there was a growing awareness of the importance of security in Internet communications. Out of those concerns came Hypertext Transfer Protocol Secure, known more commonly by its abbreviation, HTTPS.

Technically, HTTPS is not actually a protocol; in truth, it is actually HTTP layered on top the SSL/TLS protocol. SSL stands for Secure Sockets Layer, and along with Transport Layer Security (TLS), is a cryptographic protocol designed to secure Internet traffic. Essentially, SSL and TLS use public and secret encryption keys to exchange a session key to encrypt data being sent from a client to a server. Both TLS and SSL use X.509 certificates to authenticate the machine they are communicating with and exchange a key.

The bi-directional encryption of communications between the client and server provides a barrier to protect data from the prying eyes of attackers. This fends off attempts at man-in-the-middle attacks, where an attacker connects with both parties and gets between them, effectively intercepting communications and potentially injecting new traffic into the mix.

While all that sounds good, many sites on the Web still use HTTP instead of HTTPS for a variety of reasons. Often, one of the main reasons is that HTTPS can make websites too slow, which isn’t entirely false. But while loading a website over HTTPS doesn’t make sites faster, this can be addressed in a number of ways.

The end result of this process is an extra layer of protection for data against the prying eyes of attackers or governments. During the past few years, privacy concerns prompted companies such as Google and Yahoo! to step up their use of encryption and HTTPS to protect both search results and users of their web mail service. The same concerns also led the Electronic Frontier Foundation and The TOR Project to team up to offer the HTTPS Everywhere extension for Google Chrome and Mozilla Firefox users.

That’s a whole lot of differences summed up by a single letter. But in the end, the ‘S’ in HTTPS is more than just a letter – it’s a thin line separating privacy and exposure on the Internet.