HTTPS is the secure version of the internet backbone protocol or HyperText Transfer Protocol (HTTP) used for transporting data between a web browser and a website.
Secure internet transactions are imperative when users exchange sensitive data online such as checking their bank accounts or logging into their email services.
HTTPS claims to protect our sensitive data in transit, but does it actually stand true to its claim? What is the connection between HTTPS and TLS and how can you check for a website’s SSL certificate?
What Is Data in Transit?
When you type a website address into your browser and click enter, a lot happens behind the scenes. Data in transit is the information in motion that is actively passing from one location to another, i.e. across the internet when you are trying to reach a website.
In a nutshell, any data trying to go from a source to its destination is data in transit.
This needs to be secured as it might need to travel from network to network or could be transferred from a local storage device to cloud storage, making it vulnerable to interceptions along the way.
How Does HTTPS Help in Securing Data in Transit?
Regular HTTP communications send out all data in plain text, making it highly vulnerable and accessible to anyone who wants to intercept it, including cybercriminals. This is a big issue, especially when using public Wi-Fi.
HTTPS prevents data from being broadcast while it’s in motion and makes it difficult for anyone to view it. It achieves that by encrypting the traffic and securing it with an SSL certificate; even if the data packets are somehow stolen, they will be hard to decipher without a decryption key.
But this is important to remember: a secure connection does not always guarantee a secure site. Threat actors have found new ways to use HTTPS for malicious websites which means you could still be accessing an HTTPS-based website that is insecure in reality.
However, it is still best to always access an HTTPS-based website.
The Connection Between TLS and HTTPS
TLS stands for Transport Layer Security and is a cryptographic protocol that helps encrypt HTTPS and other protocols and email services. It is also the predecessor to the now obsolete SSL (Secure Sockets Layer) protocol.
By utilizing cryptographic techniques, TLS ensures three things:
- The data is not tampered with after being sent.
- The communication originates from genuine sources, i.e. the site is what it claims to be.
- The private data is hidden from prying eyes.
This protocol secures communications by using what’s known as an asymmetric public key infrastructure. The process starts with a TLS handshake where authentication takes place and session keys are generated.
What Is an SSL Certificate?
SSL certificates force websites to transition from HTTP to HTTPS, thus making them more secure.
An SSL certificate resides in a data file that is hosted inside a website’s origin server. By holding a website’s public key and identity, they make TLS encryption possible.
Any device that is trying to reach an origin server will reference this file to get hold of the public key and verify the server’s identity. The private key, as the name implies, is kept secure and private.
How to Check if a Site Has an SSL Certificate
Modern browsers have made it very easy to check for SSL certificates. For starters, if the URL begins with “HTTPS” instead of “HTTP,” then it’s assumed that the site is secured using an SSL certificate.
A padlock icon displayed in a web browser also indicates that a site has a secure connection with an SSL certificate.
Taking Google Chrome as an example, you can take just a few steps to get certificate information for a website.
Step 1: Click on the padlock icon in the address bar.
Step 2: Click on “Certificate (Valid)” in the pop-up.
Step 3: Check the “Valid from” dates to check the SSL certificate is current.
Does HTTPS Protect Data in Transit?
To answer the million-dollar question: yes, HTTPS does protect data in transit.
HTTPS over SSL/TLS is designed to provide encryption in transit. Since communication between a browser and website server (with a secure certificate) is in an encrypted format, the data packets in transit cannot be tampered with or read even if they are intercepted.
However, once your data has traveled to its destination and is residing on the website’s server, HTTPS cannot protect it. While HTTPS ensures our data in transit gets to its destination safely, it is not responsible for its safe storage.
HTTPS: A Crucial Piece of the Cybersecurity Jigsaw
While the presence of HTTPS does not offer full end-to-end encryption or protect a site against vulnerabilities, exploits, or phishing scams, it does provide security for your data in transit and ensures that the certificate was issued by a trusted certificate authority.
And this in itself is a crucial element in the big cybersecurity equation.
SSL certificates allow websites to encrypt and secure traffic, but there are many misunderstandings about how it works. Let’s debunk them.
About The Author