Guest post by Samir Nassar, digital security consultant
In recent years attacks against large public websites such as Facebook and Google have accelerated the important trend to increase user security by moving web communication from HTTP to HTTPS.
What is HTTP?
HTTP is the method that web browsers and many applications use to communicate over the internet. When you open a website with a browser (like Firefox or Chrome), the information is communicated between the site and your computer using HTTP.
HTTP allows anyone on the same network between your computer and the server to read what you are downloading and uploading, including your passwords. With more computers using wireless networks—especially in places like cafes and similar public places—it becomes trivially easy for malicious parties to spy on, steal, and sabotage your online activity.
What is HTTPS?
HTTPS encrypts the communication between your web browser and a website to hide the information being exchanged. In most cases, the only information an attacker can access when HTTPS is in use is the domain name you are viewing and the website’s IP address.
What does HTTPS mean in practice?
When you are browsing, HTTPS protects your privacy and data in some simple but very useful ways:
- HTTPS hides the full URL from an attacker’s view.
If, for example, you are reading an article about an LGBTQI issue on a general news website, a monitoring party is only able to see that you visited the site but would not see which specific articles you read. (Be advised, however, that if the website itself is LGBTQI-specific, that is another challenge entirely.) HTTPS does not protect you from someone pursuing other ways to access your full browsing history, but it limits the data available when tapping your internet communication at a cafe or if authorities demand this information from your ISP.
- HTTPS shields usernames and passwords from monitoring.
HTTPS protects login information from being read by malicious people on your network. Think twice before participating in forums or websites without HTTPS. If you do chose to participate on HTTP-only sites, be very careful not to use your real name or share any personally identifying information.
- HTTPS protects files from surveillance and modification when they are being uploaded and downloaded.
If you are working with sensitive information but you only have access to an HTTP website, it is safer to wait until you have access to an HTTPS-enabled website before you upload or download anything.
What You Can Do for Safer Browsing
Some websites have HTTPS enabled, but still use HTTP by default as a cost-saving strategy. You can help secure your browsing by using the HTTPS Everywhere tool, which has a Firefox add-on and a Chrome extension. HTTPS Everywhere forces your browser to use the HTTPS version of a website whenever one is available.
Each time you visit a new website, look at the address bar. If you don’t see “https://” before the domain name, you are only using HTTP. Be extra alert and vigilant about your activity on that site.
Samir Nassar is an independent digital security trainer and consultant working primarily in Europe and throughout the MENA region.