HTTPS – Does that mean a website is secure?
John M. Haddad
Most web traffic online is now sent over an HTTPS connection, making it “secure.” In fact, Google now warns that unencrypted HTTP sites are “Not Secure.” So why is there still so much malware, phishing, and other dangerous activity online?
Secure sites only mean a secure connection
Chrome used to display the word “Secure” and a green padlock in the address bar when you were visiting a website using HTTPS. Modern versions of Chrome simple have a little gray lock icon here, without the word “Secure.”
That’s partly because HTTPS is now considered the new baseline standard. Everything should be secure by default, so Chrome only warns you that a connection is “Not Secure” when you’re accessing a site over an HTTP connection.
However, the word “Secure” is also gone because it was a little misleading. It sounds like Chrome is vouching for the contents of the site as if everything on this page is “secure.” But that’s not true at all. A “secure” HTTPS site could be filled with malware or be a fake phishing site.
So what does HTTPS do?
HTTPS is great, but it doesn’t just make everything secure. HTTPS stands for Hypertext Transfer Protocol Secure. It’s like the standard HTTP protocol for connecting to websites, but with a layer of secure encryption.
This encryption prevents people from snooping on your data in transit, and it stops man-in-the-middle attacks that can modify the website as it’s sent to you. For example, no one can snoop on payment details you send to the website.
In short, HTTPS ensures the connection between you and that particular website is secure. No one can eavesdrop or tamper with it. That’s it.
Dangers till exist
HTTPS is great, and all websites should use it. However, all it means is you’re using a secure connection with that particular website. The word “Secure” doesn’t say anything about the contents of that website. All it means is the website operator has purchased a certificate and set up encryption to secure the connection.
For example, a dangerous website full of malicious downloads might be delivered via HTTPS. All that means it the website and the files you download are sent over a secure connection, but they might not be secure.
Similarly, a criminal could buy a domain like “bankoamerica.com,” get an SSL encryption certificate for it and imitate Bank of America’s real website. This would be a phishing site with the “secure” padlock, but all that means is you have a secure connection to that phishing site.
HTTPS is great for the internet. On legitimate sites, doing transactions with HTTPS will ensure your data is encrypted during transmission.
However, HTTPS does not mean the site is a legitimate site and is cannot deliver malware via downloaded files. It doesn’t mean that you can be sure that if you enter a social security number, for example, that that information will not be used by hackers. All it means is that whatever transmitted is secure.
So, don’t fall into a false sense of security with HTTPS sites. Make sure the company and the site is legitimate before doing business over these sites.