HTTP vs. HTTPS: How one letter can make a difference
You probably overlook it, and yet that letter protects your data every day.
On March 12, 2021, the World Wide Web celebrates its 32nd birthday. But time passes for everyone, and in the past three decades, the miraculous communication between systems that you are using right now has changed dramatically. That “www” you see before website domains representing the World Wide Web is now accompanied by even more acronyms.
I’m talking about HTTPS, that something that helps keep you secure. So, for World Wide Web Day, let’s have a chat about our silent hero; HyperText Transfer Protocol Secure.
What is the difference between HTTP and HTTPS?
HyperText Transfer Protocol Secure (HTTPS) refers to a protocol you connect to a website, where all of the information transferred between the browser and a server is encrypted, and therefore more secure than a normal HTTP connection. A URL that starts with HTTPS means that a website uses the Transport Layer Security (TLS) protocol or its precedent, a Secure Sockets Layer (SSL) protocol. These acronyms basically mean that, as the information gets transferred from the browser to the server, it gets turned into an alphanumeric code. Since it is encrypted rather than in plain text, if your information gets intercepted on its way to the server, a bad actor will have a more difficult time making it useful – or may not even be able to.
Why does HTTPS matter?
Fraudsters are often intelligent, sly, and have many ways of getting the information that they want. The SSL protocol was created to protect against eavesdropping and tampering such as man-in-the-middle attacks; when a fraudster plants herself between the browser and a server to take the information you submit through the website. If a bad actor manages to get access to your information in transit, they can conduct a myriad of different types of fraud such as account takeover, or synthetic identity, to name a few. Bad actors can not only steal your information but also alter it while it’s in transit: a fraudster can alter a transaction by changing the amount and recipient so they receive the funds. However, if there is an HTTPS on a URL, all of the information that could be intercepted is encrypted, protecting the end user from these attacks.
Man-in-the-middle attacks are easy to carry out and they sometimes take advantage of unprotected internet connections. For instance, if you’re connected to an open Wi-Fi, there’s a possibility someone is watching your activity, and waiting for you to send sensitive information.
Why doesn’t every website have an HTTPS domain?
Good question, my friendly, inquisitive reader! Some websites don’t need HTTPS on the URL. If they don’t collect PII, you aren’t giving them data that needs protection, so they don’t have anything to protect with an SSL or TLS.
Sometimes websites won’t have an SSL or TLS on their main site, but when you move to checkout, they do. This is because you don’t need that protection unless you’re putting information into their site. Watch out for the alternative, though, where the main page begins with HTTPS – so you think it’s safe – but the payment page doesn’t. This could be a malicious site trying to capture your personally identifiable information through an unsecured protocol.
This means that almost every website should have an HTTPS protocol. Often times fraudsters will buy websites that look similar to a popular site, or use non-alphabet or unicode characters to look like a popular website. So, if you’re on HTTP://arnazon.com (look closely, that doesn’t say Amazon!), you probably are on a phishing site by accident.
So what can I do now?
It’s pretty simple; don’t send data through a website that doesn’t have a green lock and HTTPS before the domain.
When you’re surfing the internet, keep your eyes out and be careful to watch for bad actors or unsecure situations.
And don’t get forget to celebrate on March 12.!
Related to this post: How to enjoy Amazon Prime Day without the fraud Demogorgon