Update January 2017
Great news: Measurements by Mozilla show: > 50 % of the page loads are HTTPS \o/
Original Post
Without encryption you could not do online shopping, online banking or even downloads and updates over the internet without running an extreme risk.
Did you know that you are already using encryption in your browser without noticing it? The small lock icon in the address bar does hint that encryption is currently turned on. Many sites (especially shops and banks) support it. Encryption does not generate disadvantages for you, but many advantages.
By encrypting the communication between your browser and the server you gain three important benefits:
Authentication
The server (the banking page, for example) “shows its passport” to your browser which then verifies it. You will only ever notice the process in case the verification fails. This happens mostly when the site owner forgets to refresh the certificate (they must be refreshed every few weeks or years). It’s highly likely that you already saw one of those notifications by the browser, rejecting a certificate as invalid. A short time later the site owner should have gotten a new certificate to fix it. Without certificating your transaction partner, there is no way of doing secure online banking or shopping.
Secrecy
Secrecy prevents others from reading the data packets running between your browser and the server. That includes banking credentials like credit card numbers, your passwords, and usernames …
Without any doubt you do not want anyone to read those data. Without secrecy there is no way of shopping online securely.
Integrity
There are tools to modify network-packets on-the-fly. They are power tools for administrators or scientific tools and have legit application areas. But with the same tools an attacker connected to the same network as you, can modify the data you send. This is something that is very simple if you are in the same network segment (connected to the same switch or Wifi Access point) and also possible by manipulating the traffic (DNS changer attacks or BGP attacks) on the whole network.
Without integrity there is no way of shopping online securely.
https: A panacea?
Encryption (like the httpS encryption) offers all those features. Banning encryption would break the internet as a trustworthy environment and as a marketplace.
To be able to talk to the server in an encrypted way, the server must support that. This requires getting a certificate, changing a configuration file and testing the whole page. The effort takes something between minutes and weeks, depending on the complexity of the page. The server administrator and the web designers normally should handle the process. Shops and banks should have been doing said switch some years ago.
But to establish an encrypted channel, there must be an agreement between the server and the browser. This can happen in three ways:
- The server administrator sets up a 302-redirect and pushes all unencrypted traffic to the encrypted channel
- Or the web-designer exchanges all the links in the page to point from http://something.de links to https://something.de
- Or the user enters https:// in the URL bar to request encryption
All of those cases involve humans. Humans make mistakes. The EFF’s HTTPS-Everywhere (integrated into our browser) has a database of servers supporting encryption. For every page in its database it replaces the http:// with https:// – with just one single character changed, you benefit immensely.
This is true especially in networks you cannot trust (remember: easy attacks in the same network segment) and therefor is very essential for your security. Untrusted networks include: Open Wifis, Public Wifis, Hotel networks, … wait; why not just every network ?
We are not there yet
It’s sad, but HTTPS Everywhere is not perfect (yet). There are more advanced attacks that still can succeed (SSLStrip, Superfish) but the largest issue is:
Not all those servers support HTTPS
The EFF is currently writing a tool to simplify the server setup (called “Let’s encrypt“). But even with that not all servers will migrate.
We are currently investigating another technology that combines extremely well with HTTPS-everywhere. To get your data encrypted through your Wifi – no-matter-what.
TL;DR:
Encrypted networks should be a default. We(*) are getting there.
*) The engineers building the internet
Very thoughtful article. It is my personal observation that HTTPS is quite slow as compared to the previous HTTP. But it is an unusual step for establishing a secure room for business transactions on the world wide web.
Dear Sirs, I speak a little bad English but about your kindness the give all the people a possibility the to have your PC protect by your system about the eventuality that we’re Vitim to the hackers and the bad intention of them. I’m a simple man and in the quality of the user I don´t know more than the basic, so thank you very much for your free service. I don´t know what can I say more about your example and generosity. Tank you once more, and I present you my Best Regards,
Jorge Leite
https everywhere gets me hacked through fb browser
Egal wie weit bezüglich die absolute Datensicherung betreibt eine Sicherheitslücke wird immer zu endecken sein. Lieber gehe zu der Bank und spreche mit dem Bankangestelten an.
Das Gute wird immer vom Bösen konkuriert.
Es war immer so. Es wird auch immer so bleiben.
3% Aller Menschen kümmern sich für das Wohl des Universums. Die restlichen Menschen interessieren sich kaum.
Die Menschheit hat sich moralisch gesehen überhaupt nicht verändert in den tausenden von Jahren
nice
good
Avira est un produit de haute technologie.Très parfait.Je suis ravi des fonctions de cet appareil.
EXCELENTE!
Avira está actualizando sus servicios. cada vez mejores
Danke
very good work avira, keep doing your bit to make the www a safe place
Ich bin zwar mit Engländern groß geworden (ab 1945 in Iserlohn deren Garnisons-stadt und mein Geburtsort) aber die haben immer schneller Deutsch gelernt, als ich English.
Faul, wie ich nun mal bin, ist es auch dabei geblieben.
Es hat mir aber überhaupt nicht geschadet…
MfG
DSt
José Antonio
¿Y la versión en español?
very good avira, just in time
version en français existe t’elle?