How Secure is HTTPS?

If 81% of websites on the internet use HTTPS, are 81% of websites safe and secure?

In the past, HTTP was the most prevalent protocol for data exchange on the web. However, HTTP was never intended to transmit private information. Today, HTTPS (Hyper Text Transfer Protocol Secure) is the preferred and secured version of HTTP. HTTPS uses encryption to secure communications on the web by encrypting data in transit between the web browser and server.

According to Web Technology Survey’s HTTPS report, 81% of websites use HTTPS by default. Does this mean 81% of websites on the internet are safe and secure? TL; DR: Not necessarily. Truth be told, those “secure” lock symbols on the address bar can’t guarantee that a website is safe.

So, if HTTPS is supposed to be secure, why isn’t this always the case? Let’s jump in and answer the question: How Secure is HTTPS?

TABLE OF CONTENTS

• What is HTTPS? How does it protect private information?
• HTTPS Secures Data in Transit
• HTTPS Prevents Man-in-the-Middle Attacks
• HTTPS Eliminates Your Browser’s “Not Secure” Warning
• Google Boosts Rankings for Websites with HTTPS
• HTTPS Increases Customer Trust
• What HTTPS Can’t Protect You From
• Deployment Mistakes Can Lead to Vulnerabilities
• Cookie Scraping Can Compromise Personal Data
• HTTPS Can’t Guarantee Safe Data Storage
• A Private Key Can Be Compromised
• Not Every Encrypted Website is Trustworthy
• Don’t Take the Bait: How to Spot a Fishy Website
• Quantum Computing Could Crack Today’s Encryption
• The Bottom Line: HTTPS Doesn’t (Always) Mean Safe

What is HTTPS? How Does it Protect Private Information?

HTTPS, or Hypertext Transfer Protocol Secure, is the secure version of HTTP (Hypertext Transfer Protocol). When a website has “https://” in the URL, you can assume that the website has been authenticated through a third-party and that it uses encryption. HTTPS uses SSL/TLS encryption to secure the communication on the internet when payments are made, passwords are used, or other data is transferred on the web. 

You might be wondering, why is HTTPS so important? Simply put, HTTPS keeps internet communication safe from unwanted eyes. Plus, industry leaders such as Google and Mozilla are encouraging the spread of HTTPS across the internet. Keep reading to learn why HTTPS is becoming more and more popular on the web.

1. HTTPS Secures Data In-Transit

HTTPS is a critical element of internet security for both website visitors and owners. Communication with HTTP sends data in plain text, making it easier for attackers to intercept communication in transit and access private data. Unlike this, HTTPS protects data when it’s in transit, ensuring that even on public Wi-Fi, your data is safe.

HTTPS protects in-transit data by scrambling the plain text into ciphertext that can only be unlocked with a private key. This ensures attackers can’t read credit card payments, bank details, and other personally identifiable information when they are transferred on the internet. By protecting in-transit data, HTTPS makes sure transactions are secure, while also forming a level of trust between a website’s visitors and owners. But, even if a website doesn’t handle transactions or secure information, in this day and age, HTTPS is an essential component to safe internet practices.

2. HTTPS Prevents Man-in-the-Middle Attacks

Man-in-the-Middle (MITM) attacks can prove disastrous to an organization and website users. MITM attacks occur when hackers intercept communication between websites and browsers to “listen in” to steal sensitive information. Often, hackers gain access to a network by hacking into Wi-Fi routers, DNS servers, or ISP networks.

Once the attacker gains access to the network, they can “listen in” and inspect data to steal private information. Aside from being able to gather sensitive information, once the MITM attacker gains access to the network, they can even alter messages. What’s worse is that these hackers can even reroute the requests to completely different destinations or inject malicious messages.

But HTTPS is the solution to prevent these attacks. The HTTPS protocol provides another layer of security when data is in transit. First, HTTPS converts plain text into cipher text. Then, it ensures data isn’t altered by detecting modifications quickly. Lastly, HTTPS confirms the data transfer is conducted to/from the requested website, preventing hackers from rerouting the data.

3. HTTPS Eliminates Your Browser’s “Not Secure” Warning

Have you ever visited a website and spotted a warning from your browser that the website isn’t secure? That’s because the website was using HTTP, which is the less secure predecessor of HTTPS. In 2017, Google began pushing warnings on HTTP pages with credit card or password forms. These “not secure” warnings tell webpage visitors that the website uses an HTTP connection. In February of the following year, Google announced that from July 2018 onward, Chrome would label websites not using HTTPS as “not secure.” 

Today, all major web browsers warn users when the website uses HTTP instead of HTTPS. Plus, many browsing features require HTTPS, increasing the usage of HTTPS and ultimately making the internet a more secure place.

4. Google Boosts Rankings for Websites with HTTPS

Gone are the days of HTTPS being a nice-to-have bonus to your website. Now, Google uses HTTPS as a ranking factor in its algorithm. As a result, websites protected by SSL encryption (i.e., HTTPS) receive ratings boosts over websites that don’t (i.e., HTTP).  

According to Google, websites using HTTPS receive a ranking boost because they are more trustworthy and improve the user experience. HTTPS is a single factor that Google’s algorithm uses to determine website rankings. That’s not to say HTTPS is the most important factor in ranking, but it does play a role.

 Aside from the direct implications of using HTTPS, Google’s “not secure” warning can act as an indirect deterrent. Who wants to visit a website labelled “not secure” anyway? Even the least technically savvy person will steer clear of an insecure site, impacting the website’s bounce rate.

5. HTTPS Increases Customer Trust

HTTPS is an essential aspect of any website. However, the importance of HTTPS on e-commerce websites can’t be overlooked. When a visitor clicks on a website and is immediately pestered with a “not secure” warning, they might avoid the website altogether and return to the Google search results page.

Websites secured by HTTPS are more secure for customers than HTTP. A growing threat in today’s world is data breaches. A data breach is a surefire way to reduce customer trust and loyalty. For small businesses, the loss of customer trust can be even more damaging.

A report by IBM found that in the U.S., data breaches accounted for an average whopping loss of $9.44 million. Globally, the average cost of data losses is $4.35 million. Importantly, this study also found that 2021 had the largest average loss associated with data breaches in the last 17 years.  

The threat of data breaches is becoming more prevalent, especially with remote work. A data breach could prove disastrous for businesses trying to foster customer loyalty. Here’s what a recent study reported about data breaches and customer trust:

• 78% of customers would stop engaging with a brand online after a data breach.
• 49% of customers wouldn’t sign up for a service or app if they were impacted by a data breach already.
• 36% of customers reported they would stop engaging with a brand in altogether after a data breach.

What HTTPS Can’t Protect You From

Does HTTPS mean the website you are visiting is entirely safe from attackers? Not quite. HTTPS is highly effective at protecting in-transit data, fighting against Man-in-the-Middle Attacks, and building customer trust. So, how secure is HTTPS? To answer that question, let’s talk about why HTTPS can’t prevent every form of cyberattack.

1. Deployment Mistakes Can Lead to Vulnerabilities

The first key to understanding that HTTPS isn’t always safe and secure is to recognize that it’s susceptible to human error. When hosting a website over HTTPS, all websites should avoid mixed content (i.e., HTTP and HTTPS). Instead, every webpage and file should use HTTPS, or cybercriminals could exploit vulnerabilities.

Sometimes, a website might have the main page delivered by HTTPS, but stylesheets, JavaScript, and media elements might be fetched by HTTP. This risky practice opens the door for a hacker to exploit HTTP vulnerabilities. Even if the main page is secure through HTTPS, delivering the CSS code via HTTP could allow an attacker to inject malicious code. In this case, the attacker could use the malicious code to overtake the page’s Document Object Model (DOM), which is how the web browser displays a webpage. 

2. Cookie Scraping Can Compromise Personal Data 

Cookies are data files used to track your activity for a customized website experience. Some cookies are temporary and help the website to remember things about your last visit to the same website. They make sure you don’t have to type your password in repeatedly or can pick up where you left off when shopping on an e-commerce site. 

Another type is the persistent cookie, which allows websites to do things like remember your account/login information. Even though these persistent cookies make it easier to enter your account, they may leave you vulnerable to cookie scraping. Cookie scraping occurs when a hacker copies the code from your cookie and logs into the website.

The moral of the story? Even if a website uses HTTPS, you could still be susceptible to attacks like cookie scraping. 

3. HTTPS Can’t Guarantee Safe Data Storage 

HTTPS protects data in motion between the browser and a website server. The data communication between the browser and server is encrypted, meaning an outside party can’t read your private information. Yet, it doesn’t guarantee that your data will be protected once it’s transferred to your website server. 

Let’s suppose you won a luxury car in a raffle that will be delivered to your home. During the trip, your new car is completely protected, but once it reaches your house, it’s no longer covered. In fact, your home security doesn’t even reach the garage. A thief could exploit this vulnerability and rob your car in this scenario. 

HTTPS protects your data in transit from being intercepted, tampered with, or read. But HTTPS cannot ensure safe data storage when the data reaches its destination. 

4. A Private Key Can Be Compromised

Encryption transforms plaintext into unreadable cipher text. In the case of SSL/TLS encryption, two different keys (public and private) are used for encryption and decryption. Generally, this type of encryption is very safe as long as the private key is safe. Although it’s difficult, a hacker can steal the private encryption key, allowing them to read sensitive data. In fact, if a private key is compromised, a hacker could access all the data communicated between the client and server. The hacker could then use the private key to decrypt your sessions on a banking website or Amazon, collecting your passwords.

To combat this, cryptographers created Perfect Forward Secrecy (PFS). The PFS method provides a short-term private key to be exchanged between the client and server that can’t be reverse engineered. That means that every time a session is initiated by a user, a new session key is generated. The most important aspect of PFS encryption is that if a single session key is compromised, data from other sessions will remain unaffected.

You might be asking yourself, “how can a hacker get a private session key?” Sometimes website admins make mistakes such as accidentally uploading the private key to GitHub (this happens more than you’d think). In this scenario, even past data exchanges with this website would be compromised if they weren’t using perfect forward secrecy.

What’s more? Right now, all major web browsers support perfect forward secrecy. 

5. Not Every Encrypted Website is Trustworthy

The reality of HTTPS is that, even if your data is encrypted, it’s not completely safe from unwanted eyes. Websites with “HTTPS” in the URL must have a security certificate (SSL certificate), meaning that in transit data is encrypted. But that doesn’t mean that a trusted individual runs the website. 

A recent study reported that 84% of phishing sites use SSL certificates. Phishing websites prey on unsuspecting victims by looking like legitimate websites. By now, many people are aware that Google warns you when a website is insecure. Yet, many fail to realize is even if Google does not flash that warning, the website may not be authentic.  

Don’t Take the Bait: How to Spot a Fishy Website

Although you can’t 100% trust that every website using HTTPS is secure, you can take steps to minimize online risk. Aside from checking that the website uses HTTPS and avoiding suspicious links, outsmart the crooks:

• Pay attention to how the URL is constructed, and always make sure you’re on the domain you think you’re on. Attackers can use subdomains to trick people into thinking they’re on the correct website. 
• Look out for trust seals (or badges) on websites that are prime targets for phishing campaigns (i.e., PayPal, eBay, Amazon, etc.). Trust seals are symbols are used to authenticate that the website belongs to a credible and legitimate organization. Be sure to click on the trust seal and verify that it’s legit.
• Use Google’s Safe Browsing service to check if Google believes the website is safe. Simply paste the questionable URL into Google Safe Browsing Transparency Report for the report. 
• Keep an eye out for spelling and grammar mistakes. Often, hackers will care more about making the website look legitimate than about proper grammar. Minor errors on a website are common, but the key is to look for mistakes on top pages and obvious spelling and grammar errors.
• Visit Who.Is to check the URL to see if it’s trustworthy. Who.Is shows you the registrant, administrative, and technical information about the website’s owner. 

6. Quantum Computing Could Crack Today’s Encryption

Quantum computing has the power to transform the way we solve problems in our world. Harnessing the power of quantum mechanics, quantum computing could deliver new approaches to complex problems by running several calculations at once, which today’s supercomputers aren’t able to do. With all the good that quantum computers can generate, they also have the power to break our current encryption methods.

HTTPS protects your data from being broadcast across the planet, but that doesn’t mean it’s safe forever. Dozens of research groups throughout the globe are attempting to build a practical quantum computer to decrypt RSA and elliptic curve cryptography (ECC). Although a practical quantum computer doesn’t exist just yet, intelligence agencies are collecting encrypted data to “store-now, decrypt later” (SNDL). Now, attackers and organizations are stealing and stockpiling encrypted sensitive data to one day be decrypted through quantum computing.  

As quantum computing progresses, researchers are developing new and innovative solutions to protect data. Here’s what IBM has to say about the development of quantum computing and its impact on current cryptography methods:

The Bottom Line: HTTPS Is Important But It Doesn’t (Always) Mean Safe 

How Secure is HTTPS? Now you know that HTTPS protects your data in transit, making the internet a safer place for users and website owners. HTTPS uses SSL/TLS encryption to secure communication between the browser and the server, preventing digital eavesdroppers from reading private data. Plus, it can boost a website’s Google ranking and increase ROI. While HTTPS is a key principle of internet safety, it isn’t a complete solution against cybercrime. It is, however, highly effective at mitigating risks.

With that said, human error can open room for vulnerabilities to be exploited. However, website admins can improve HTTPS security by following best practices:

1. Purchase the right SSL certificate for your website.
2. Get the SSL certificate from a well-respected Certificate Authority.
3. Make sure the server is configured properly.
4. Guarantee private encryption keys are secure.
5. Implement HSTS (HTTPS Strict Transport Security) to redirect user requests for an HTTP webpage to an HTTPS webpage.
6. Verify that all certificates are valid, avoiding downtime and outages.