The Myth about HTTPS and safety of a website
We do surf and visit a lot of websites every day and we come across this term HTTPS frequently. Many of the websites, especially the popular ones have this special HTTPS added at the beginning of their URL. The browsers, Chrome, Opera, Firefox display a green mark marking them as Secured or safe. As we see this, we think we are cyber-safe while using this website. But wait, this does not mean we cannot get hacked or breached only because we are accessing HTTPS website. We must understand what HTTPS is and What it safeguards.
HTTPS – A Myth for internet users
Many of the websites display a green banner, saying that they are using HTTPS. Even our web browser displays Green Marks signaling this website is safe. A normal user gets a perception that he is safe while accessing this website. But it is not. Though HTTPS is helpful in safeguarding a website, it creates a wrong perception that the website is completely safe. We should never trust a website only because it has HTTPS. This is not a way to fool any user of the websites, do not misunderstand my words. the use of HTTPS makes a website safe but in a limited way. The concept of HTTPS is not understood properly by the most common users of the internet.
HTTPS – A fact in reality
The fact is HTTPS does not convert an unsecured website into a secured website, it secures only the data being transferred to that website. We enter our Usernames and Passwords on any website, travel over the Public Internet through various cables, routers, switches and can be easily trapped anywhere between and read. To prevent this and disallowing any attacker extract data traveling through the network, HTTPS is used.
This does not nominate any website as ‘safe from hacking’, but it assures every bit of data being transferred to and from the website passes through an encrypted channel which cannot be read by a third person.
How HTTPS works?
Imagine there is a water reservoir and you want to flow the water towards a village, so you dig an open canal starting from the reservoir to end at the village. The village can now easily receive fresh water from the reservoir.
But soon we find that the water is not safe, as the canal is open, anybody between the reservoir and village can steal water from the canal. A lot of dust and dirt gets added to the water before it reaches the village making it impure. Residents of other villages, can see how much water is flowing and are trying to steal your water by using pumps and hose.
So to overcome these troubles and protect the flow of water, instead of an open canal you put huge water pipelines, a bit costly, but is much safe. Now once the water starts flowing through the pipelines, it will remain safe from any dirt or dust and will be pure. Also, no one can steal the water easily from the pipelines. Even if someone wants to steal the water, they have to break the Hard Metal Water pipes, which is a difficult task. This way you secure your water. It is no safe from falling into wrong hands.
Similar is the case with our Internet Traffic. Imagine the village being your mobile or desktop’s web browser and the reservoir as a Website Server. When we open a website a virtual channel is created from our browser to the Website’s Server. Here as we use the public internet, this channel is visible to anyone who has access to network devices. They can see what information is traveling from your browser to the website server and reverse. So if you input critical information such as Usernames, Passwords, Bank Information, it can be seen by a third person.
To avoid this, HTTPS comes in the picture! The use of HTTPS encrypts the channel with a secured key. This secret key is known only to the website’s server. It’s a protective layer above your data. So if anyone wants to read your data, they will need to break the encrypted channel, which is possible only with the secret key. This way our information, traveling over the public internet. The HTTPS data is difficult to break and no ex-filtration can happen. But it does not mean the website is safe.
In the above example, even if the traveling water is safe from being stolen, still anyone can steal water from the reservoir. Impurity can be added to the reservoir itself or even after it reached the village. Water can become impure or get stolen in the village. Similarly, websites can be hacked using other techniques, vulnerabilities can reside in the website coding itself. Someone might install malware on the website’s server as well.
In short, HTTPS can assure the safety of data traveling over the public internet, which is equally necessary. We should not trust any website as ‘Safe From Hacking’ just because it has HTTPS. HTTPS helps in converting unsecured data into secured data, not the whole website.