How does HTTPS protect you (and how does it not protect you?)

We’ve always advised web users to look for HTTPS and the lock icon in the address bar of their favorite browser (Firefox!) before typing passwords or any other private information into a website. These are solid tips, but it’s worth digging into what HTTPS does and doesn’t do to protect your online security and the steps you need to take to be more secure.

Trust is more than just encryption

It is true that searching for the lock code and HTTPS will help you prevent attackers from seeing any information you send to a website. HTTPS also prevents your Internet Service Provider (ISP) from seeing the pages you visit beyond the top level of the website. This means that they can see that you visit regularly, for example, but they won’t see that you spend most of your time on . But while HTTPS ensures that your communications are private and encrypted, it doesn’t guarantee that the site won’t try to trick you.

Because here’s the thing: any website can use HTTPS and encryption. This includes good and reliable websites In addition to those that are not useful Fraudsters, scammers and malware makers.

Perhaps you are confused by now, wondering how to use a disgraceful website HTTPS. You’ll be forgiven if you’re wondering in all caps how this could be?

The answer is that the security of your connection to the website – provided by HTTPS – knows nothing about the information being transferred or the motivations of the entities you are relaying. It’s a lot like owning a phone. The phone company is not responsible for scammers calling you and trying to get your credit card. You should be an expert on who you talk to. The job of HTTPS is to provide a secure line, not a guarantee that scammers won’t talk through it.

That’s your business. Tough love, I know. But think about it. Scammers go to great lengths to deceive you, and their motive pretty much boils down to one: to separate you from your money. This applies everywhere in life, online and offline. Your job is not to be deceived.

How do you spot a fraudulent website?

Consider uniforms. It generally evokes power and confidence. If a well-dressed, legitimate-looking person standing outside your bank says he works at the bank and offers to take your money and deposit it, would you trust her? of course not. You will go directly to the bank yourself. Apply the same skepticism online.

Since scammers go to great lengths to deceive you, you can expect them to appear in a virtual costume to convince you to trust them. “Phishing” is a form of identity theft that occurs when a malicious website impersonates a legitimate website to trick you into giving out sensitive information such as passwords, account details or credit card numbers. Phishing attacks usually come from emails that try to lure you, the recipient, to update your personal information on fake but very real websites. These sites may also use HTTPS in an attempt to enhance their legitimacy in your eyes.

Here are some things you should do.

Do not click on suspicious links.

I once got a message telling me that my Bank of America account had been frozen, and that I needed to click on it to fix it. It looked authentic, however, I don’t have a BoFA account. That’s what phishing is – laying a line to lure someone. If I had a BoFA account, I might have clicked and linked to it. The safest way is to go directly to the Bank of America website, or call them to see if the email is fake.

If you get an email saying your bank account is frozen/there is a discrepancy in your PayPal account/have an unpaid bill/get the idea and it looks legitimate, go straight to the source. Don’t click on the link in the email, no matter how convinced you are.

Stop alerts.

Firefox has a built in phishing and malware protection feature that will warn you when the page you’re visiting is flagged as a bad actor. If you see an alert that looks like this, click the “Get me out of here!” button. button.

HTTPS is important

Most of the major websites that provide client login information already use HTTPS. Think: financial institutions, media, stores, and social media. But it is not universal. Not every website uses HTTPS automatically.

With Firefox’s HTTPS-Only mode, the browser forces all connections to websites to be used HTTPS. Enabling this mode provides a guarantee that all your communications to websites have been upgraded to use HTTPS and are therefore secure. Some websites only support HTTP and the connection cannot be upgraded. If HTTPS-Only mode is enabled and the HTTPS version of the site is unavailable, you will see the “Secure Connection Unavailable” page. If you click Proceed to the HTTP siteYou accept the risk and then you will visit the HTTP version of the site. HTTPS-Only mode will be paused for this site.

It is not difficult for websites to convert. The website owner needs to get a certificate from a CA to enable HTTPS. In December 2015, Mozilla joined forces with Cisco, Akamai, EFF, and the University of Michigan to launch Let’s Encrypt, a free, automated, and open certificate authority, working for the public.

HTTPS over the web is good for the health of the internet because it provides a more secure environment for everyone. It provides integrity, so the site and authentication cannot be modified, so users know they are connecting to the legitimate site and not some attacker. Lack of any of these three characteristics can cause problems. More unsafe sites means more risks on the web in general.

If you come across a website that doesn’t use HTTPS, send them a note encouraging them to join. Post on their social media or email them to tell them it matters: forendsite I love your site, but I noticed it’s not secure. Get HTTPS from letsencrypt to protect your site and your visitors. If you run a website, encrypting your site will make it safer for you and your visitors and contribute to web security in the process.

In the meantime, share this article with your friends so they understand what HTTPS does and doesn’t for their online security.

This post is also available at:
German (German)

Leave a Reply

Your email address will not be published.