HTTPS does not mean your data is safe

More and more websites are using Hypertext Transfer Protocol Secure (HTTPS) by default. Recently, the White House Office of Management and Budget (OMB) declared that all public-facing websites for U.S. government agencies will use HTTPS by the end of 2016. The increased use of HTTPS instead of unencrypted HTTP is great news for data security and privacy, but HTTPS alone does not mean that your data is safe. It is important to understand what HTTPS does and does not do to protect Internet data.

If a website does not use HTTPS and instead uses regular, unencrypted HTTP that generally means everything sent between you and that web server is sent in plain text. It is unencrypted. Anyone can read it whether it’s an email, a search query, or a form you filled out.

PostcardsThink of unencrypted Internet data as postcards. If you are on vacation and send a postcard to your mom, anyone who sees that postcard before it is delivered to your mom can easily read what you wrote to her.

Information you send over HTTP is like that except on the Internet nosy people don’t have to hope they happen to see interesting postcard. Online people can use software to collect a lot of Internet traffic (postcards) and search their content for whatever interests them.

HTTPS puts those postcards into little locked boxes. Anyone can still grab them from the network like postcards, but the only* people who can open the boxes (unencrypt the messages) are the intended recipients. In the previous example, no one can read your postcard except your mom.

This is why privacy and security folks are so excited about the expanded use of HTTPS. Encryption prevents the easy collection and analysis of web traffic. Hooray!

But…

https green lockTo say that if you see HTTP and the little green lock on your browser’s navigation bar means a website is “safe” (as I’ve heard said many times before) is an exaggeration.

HTTPS only protects data as it travels to its destination. HTTPS makes no guarantees as to what happens to your data once it arrives where it was going.

The U.S. Office of Personnel Management (OPM) had a data breach that compromised the records of up to 4 million current and former Federal employees. This was data that was being stored by OPM. It was not traveling over the Internet, so HTTPS didn’t matter at that point.

After data securely reaches it’s destination over HTTPS it may or may not be stored in an encrypted manner. There may or may not be strong security controls preventing unauthorized access to it. There may or may not be malicious employees looking to steal your data or spy on your personal messages.

If you click on a link in phishing email it may take you too a fake version of your bank’s website. That fake site may use HTTPS, which just means your information will be securely delivered to the criminals who are collecting it.

Unfortunately, it is much harder to know about a company’s internal security practices than it is to know if their website uses HTTPS. Still there are some things you can do to try to keep your data safe:

  • Look for the HTTPS and green lock on your browser’s navigation window. Sure, HTTPS doesn’t protect your data completely, but it’s a really good start.
  • Be picky about the sites with which you share your data. If you aren’t familiar with the company try to learn more about it’s reputation before filling out any of their forms.
  • Check to be sure you have the correct website URL. YourBank.com is probably right. YourBankInfoVerification.com or YourBank.com.ru probably are not.
  • Paste URLs from emails instead of clicking on them because the code behind the link may not match what you see.
  • Only provide websites with the minimum information required, and opt out of having your data saved, particularly if you don’t plan to use a site frequently.

The wider deployment of HTTPS is wonderful news for data security and privacy. Just don’t be naive about what it can do.

*Yes, encryption can be cracked, but it is not practical to do in bulk. Unless someone is specifically targeting your particular bit of web traffic they aren’t like to bother with trying to decrypt it.

RELATED POST: 5 reasons you should care about privacy issues

PREVIOUS POST: 3 books I don’t want my children to read

Get notified of new posts by email. Type your email address in the box and click the “create subscription” button. My list is completely spam free, and you can opt out at any time.

Share security tips and curious miscellany with Kim Z. Dale on TwitterFacebook, and Google+ .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.