Most people feel they’ve protected themselves well with regards to web security. They will install antivirus suites, take precautions against which sites they give their personal information to and, for the most part, keep their passwords secret. Something horribly underrepresented in the image most people have of Internet security is HTTPS.
While Hypertext Transfer Protocol (HTTP) is the protocol for an overwhelming majority of websites, chances are you’ve come across an HTTPS website before. If you’ve used Gmail or Hotmail, JobMine, Quest, UW-ACE or bought something using PayPal; you’ve been on an HTTPS website. The “S” in HTTPS stands for Secure, and it keeps your data secured between you and the server. The difference is much like how you enter your password at a bank machine. Would you yell out each number in your PIN while you type it in finger by finger so everyone can see what it is, or would you keep the keypad covered and silently type each character in without detection from others? HTTP is much like the former example; with the right tools anyone can find out where you’re browsing and what you submit. This can include things as generic as looking up the phone number of a pizza place nearby or could be as sensitive as how much is in your bank account. With a website served over HTTPS, you can minimize the risk of others seeing any of this information.
HTTPS isn’t a new protocol, either. It’s been around since 1994 when Netscape implemented it in its first version of Netscape Navigator, by securing HTTP websites with Secure Sockets Layer (SSL) encryption. As SSL encryption became Transport Layer Security (TLS) encryption, HTTPS was modified to reflect that change. It became a bigger deal last year when the Firefox add-on Firesheep was released, which was a mass-market way to enable users on an unsecured Wi-Fi network to access the information other users were putting into their unsecured websites.
In response to these simplified creeper tools, more companies are placing a focus on secured browsing. At Waterloo, you may have noticed over the year that the university is pushing use of eduroam instead of uw-unsecured (formerly uw-secure and uw-wireless, respectively). While eduroam has been a little more troublesome, especially in the fall term, I’ve personally had next to no issues with it this term and strongly suggest others use it. Not only does HTTPS secure your web habits but a secured network does as well. Eduroam also works at other eduroam-enabled universities, so you should in theory only have to enter your data once.
Web browser creators are trying to give better visual cues of when a website is secure or not as well. In most browsers, there will be a lock located on the bottom or on the top of the browser on secure pages which, when clicked, displays information about the website’s security certificate. When the certificate is extended, which is an extra level of validation, browsers have a green bar or green text which signifies the site has a signed extended validation certificate. On the server-side front; Facebook, Twitter and Tumblr have enabled HTTPS versions of their sites, which is a huge win for secured internet browsing as social networking is one of the largest usages for the Internet. Support for HTTPS isn’t all there on Facebook though. When opening a Facebook application, the site prompts you to turn off HTTPS, but when you’re out of the application it doesn’t prompt you to turn it back on until you’re on the main page again. It would be better if Facebook could keep the setting on for everything outside applications so users don’t have to disable it every time they want to play a game.
Why is HTTPS not on every other website yet, if it’s so good? HTTPS has a few drawbacks that stop websites without sensitive information from using it. HTTPS websites can not be cached in a web browser, which isn’t a big deal for most North Americans. Users in countries such as England or Australia have more concern since caching reduces the need to reload elements from a webpage again, and since most servers are held in North America, those elements would take just as long to load every time they visit a page if the site isn’t cacheable, due to the distance between the server and the client. HTTPS also costs more to run on a website than HTTP, especially when websites become popular. Many people who have websites hosted on virtual hosts, which is common among smaller websites, can’t implement HTTPS either. These are all obstacles which could be ironed out with time, as Internet speeds increase and servers are strategically placed to minimize loading time. In the end, it’s down to whether speed or security is more important, but we should be trying to strive for a fast, secure website, no matter where we are browsing. No one needs to know what website you’re looking at, especially if you don’t know them in the first place.
Btuuced Mkmkm
security