Maybe for a while now you have been noticing that, in the address bar of your browser, at the beginning of the URL and accompanied by the drawing of a padlock, HTTPS acronyms appear when you enter the websites that you visit daily. This is just an indication that your connection to the page is encrypted, it is secure and it is more difficult for someone to intercept it.
Many of the most popular websites already incorporate it. Facebook, Google, YouTube or Twitter are just a few popular examples that everyone knows. However, and considering that Google is about to declare the Internet through Chrome insecure, it is worth thinking about what HTTPS is and what does not use it.
How to improve INTERNET SECURITY: VPN, DNS and pages with HTTPS
What is the HTTPS protocol?
Before we begin to assess the possible implications, it is worth remembering what exactly HTTPS is. As we already detailed in a previous article, it is about an encrypted extension of the HTTP protocol traditional. To perform this encryption, each HTTP connection is sent over an SSL or TLS layer.
The goal of using HTTPS answer two questions: firstly, certify that the website visited is legitimate, and secondly, that the integrity and privacy of the connection data is maintained. By having these two aspects covered, you get protection against man-in-the-middle attacks.
Additionally, it offers two-way encryption for communications between servers and clients, which protects against espionage and manipulation of the communication contents. In practice, it serves as a reasonable guarantee that we are communicating with the web that we want and not with an imposter, which also protects against attacks by phishing, such as the one that occurred in the Democratic National Committee before the last presidential elections. from USA
Historically, HTTPS connections have been used, fundamentally, for economic transactions, email and to provide greater security to corporate communication systems. In the late 2000s and early 2010s, its use began to generalize to protect all kinds of websites.
How do you establish a connection with HTTPS?
In all encryption processes a key is needed to, first, encrypt the information and, second, make it readable. In the case of HTTPS, it has to be unique for each session, and it must be generated without anyone else having the possibility of knowing it.
For this, a technique known as asymmetric encryption, which uses a system based on two keys: one public and one private, exactly as explained in Genbeta Dev. These keys are a pair of numbers related in a somewhat special way, so that a message encrypted with a key can only be encrypted with its corresponding pair.
In other words: if we want to enter our Gmail inbox, the output connection from our PC is encrypted with the public key. When that connection reaches the Google server, it is decrypted using the private key.
However, before the connection request reaches its destination, the browser encrypts a prekey generated at the moment with the public key of the server to which we want to connect. That is sent to the server, which decrypts the prekey with your private key. Both the server and the browser will apply a certain algorithm to the prekey and they will get the same encryption key.
From this moment, once the pitfall of the exchange of the key has been overcome, the client and server encrypt and decrypt the data with it. As no one else knows her communications are, in theory, secure. This is what makes HTTPS important, since thanks to it our communications with the webs will only be between them and us.
Why is HTTPS important?
In the blog for developers of Google they emphasize especially in that HTTPS is very important. We have previously discussed the reasons briefly, but it is worth going into detail to make it as clear as possible.
Using HTTPS avoid spying by intruders. Intruders range from malicious actors to legitimate but considered invasive companies. In this last category would fall, for example, Internet service providers or ISPs.
The intruders exploit unprotected communications to mislead users into offering sensitive information or installing malware, as well as to insert unwanted or non-legitimate advertising into user resources. From Google, the example is of third parties that insert advertising on websites that can ruin the user experience and create vulnerabilities in the user’s security.
Intruders can also exploit every unprotected resource that moves between the webs and the users. These resources can be images, cookies, script, HTML code and so on. Intrusions can occur anywhere on the network: a home machine, a WiFi access point, or a compromised ISP, for example.
A misconception, but widespread, is that HTTPS is only necessary on websites that handle sensitive communications and information. Every unencrypted HTTP request can reveal information on the behaviors and identities of users.
The implementation of HTTPS on the Internet today
According to Statoperator, currently “only” 116.675 webs of the most popular they use HTTPS by default. From what we can see, the trend of the implementation of the secure protocol is on the rise, with which we can speculate that in the future the most prominent websites will implement this encrypted communication system.
In an article published in Wired in March of last year it is said that 79 of the top 100 websites They use the HTTPS protocol. Of those 79, 67 use outdated encryption technologies. Among the names that we can find on that list are names as important as those of the New York Times or IMDB.
Recently we, Weblogs SL, have implemented HTTPS throughout our blog network. The operation has been carried out by our systems department, from where it is trying to “modernize and secure the platform”. The technical team had been wanting to implement the improvement for some time, but it was not until recently that we were able to do so.
Many web giants, including Google, have stated that HTTPS is the future of the Internet. Considering that security and privacy are always a hot topic and that we are increasingly aware of the importance of good encryption, it is not surprising that these companies are leading their cause.
Image | brenkee
In Genbeta | What are cypherpunks and why are they so important in the fight for privacy