As a technical developer, I spend a lot of my life talking in acronyms. TLS1, HTTP2, CSS3, (TL;DR)4
I don’t do it just to feel clever: these technologies and acronyms form the backbone of the internet. It’s important to understand that the internet is more than just the pages and sites you visit, and the funny cat videos you watch.
Buzzing away behind the scenes is a complex network of traffic, being swapped between your local network, your ISP and, ultimately, the internet backbone, which is a brutishly powerful network of supercomputers and routing systems.
What are HTTPS and TLS?
HTTP (Hypertext Transfer Protocol) is an internet transfer protocol. It gets the data bits that make up a website from a server to your screens and works a bit like a telephone number.
TLS (Transport Layer Security) is a security protocol that allows this information to be secured by encrypting as it bounces between machines.
HTTPS is a cousin of HTTP. The extra ‘S’ stands for ‘Secure’. If you’re connected to a website via HTTPS, the information that travels between you and it is scrambled in such a way that only the pair of you can read it. If that data is delivered by HTTP only, it could be readable by a third party, the infamous ‘man-in-the-middle’.
What is a Man-in-the-middle attack?
Imagine, you connect your laptop to the free Wi-Fi at a coffee shop. It’s not encrypted, and you log into your e-mail account. The information you input into the site as you log in is data. It has to be transmitted to the website. The website has to verify that the information is correct, and send you an appropriate response.
Unfortunately, what you thought was free Wi-Fi isn’t. It’s got the name of the coffee shop on it, but it’s actually someone with a mobile phone that set up a portable hotspot – the ‘man-in-the-middle’ using something called a packet-sniffer on his phone.
When your data is transmitted between a website and your computer, it is transmitted in small chunks called ‘packets’. The ‘man-in-the-middle’ can intercept each one of them, work out the content, and keep a log of it for his own nefarious purposes. That data can include your username, e-mail address and password or even financial information. Of course, it’s only the password for your e-mail. You don’t use the same password for everything, right?
Well, you might, to be honest many people do but that’s a whole other blog post.
But even if you don’t, the attacker now has access to your e-mail. He can go to a bunch of popular websites, such as Amazon, click the ‘I forgot my password’ link, and read the reset information that’s been sent to you, right out of your e-mail inbox.
This is where HTTPS comes in. Connect to a website via HTTPS, and the ‘man-in-the-middle’ can still intercept the packets, but they’re completely useless to him. He can’t decrypt them, so all he’s done is waste his phone’s battery life.
So why doesn’t everybody just use HTTPS, all the time?
This is where it gets properly technical, but I’ll simplify as best I can. TLS and its predecessor, SSL (Secure Sockets Layer) allows HTTPS to work, but in order for it to work, it needs something called a cryptographic suite. This is a set of computer programs that encrypts and decrypts data. Of course, before you and the website can communicate, they need to send the appropriate cryptographic keys to each other, so each of you knows the code to decrypt the data you’re sending and receiving. This is called a key exchange. But in order for this to be secure, both parties need to trust one another.
This is why you need what’s called an SSL certificate
This is a certificate of authenticity, issued to a server by a trusted third-party. Basically it says ‘This server is owned by this person, and they are trustworthy’.
Not only that, but TLS will send an integrity check with every packet of data. If the man in the middle even looks at them funny, the communication will be cut off.
So, in rough order, when you connect to a secure website, this is what happens:
- Your browser reads the server’s certificate, and verifies its authenticity
- Through TLS, your computer and your server exchange the decryption keys you’ll need to communicate
- You start to communicate with the server. Each packet is encrypted, and its integrity is verified. If anyone tries to interfere, you are alerted
Why should I care?
If you’re a website user, you should care because your data is valuable. If you’re a website owner, you should care for three reasons:
- Users are getting more and more clued up
That little green or yellow (depending on your browser) padlock icon next to the address bar of a website means they can trust it. If they don’t see it on your site, they may think twice about providing you with their valuable data
- Google (And the other search engines) care
If you deliver your site via HTTPS, Google will rank it higher than the same content delivered insecurely. It shows that you care about the security of your users, Google is calling for “HTTPS everywhere” on the web
- If you’re taking money from users, even via a third-party site such as PayPal or Stripe, HTTPS is a legal requirement.
So there you have it. A brief explanation of HTTPS, TLS and why they matter.
Of course, if you’re looking for the tl;dr version, it’s this: in the future, HTTPS will most likely be the only way for sites to communicate with users. It’s not a question of if, it’s a question of when.
If you need help with HTTPS, SSLs or any of the other webby acronym’s please get in touch.
1. Transport Layer Security
2. Hypertext Transfer Protocol
3. Cascading Stylesheets
4. Too Long; didn’t read