HTTP vs. HTTPS: One little letter can make a lot of difference. By: Brand Barney
If you’ve never paid attention to the browser URL while surfing the Internet, today is the day to start. At the prefix of each website URL, you’ll usually see either HTTP or HTTPS. One shows the site you are on is secure (HTTPS), and the other does not (HTTP).
© SecurityMetrics | www.securitymetrics.com/pci | 801.705.5665 |
Hey guys, welcome back to the SecurityQ, your source for business data security. Today on the SecurityQ, we're gonna be learning the differences between HTTP and HTTPS. HTTP and HTTPS are the prefixes to every URL on the web. HTTP stands for Hyper Text Transfer Protocol. In terms of security, HTTP is completely fine when browsing the web. It only becomes an issue when you're entering sensitive data into form fields on a website. If you're entering sensitive data into an HTTP web page, that data is transmitted in cleartext and can be read by anyone. Now let me give you an example. Let's say you have a website or shopping cart that your customers are visiting. If your customers enters sensitive data on that web page and it's only HTTP, anyone has access to that data that may be listening. And those customers data is insecure. HTTPS is the solution to this problem. HTTPS uses an encryption protocol called Secure Sockets Layer, commonly known SSL. In fact, the S in HTTPS stands for secure. Which is really what we all want. If a webpage has the prefix of HTTPS, that sensitive data is actually encrypted, making it much safer and harder for hackers to decipher. I understand the last thing we're looking at is the prefix a URL while browsing the internet. But let's think about this. If your customers are coming to your webpage shopping cart and they don't see the prefix HTTPS, they may be less likely to purchase from you because their data isn't secure. Our advice? If you have an e-commerce website or shopping cart and you want to know about HTTPS, speak with your web administrator and make sure they're helping you secure your customers data. Well guys, that's all the time we have for today on the SecurityQ. As always, we want to hear from you. So post your questions in the comments below, and don't forget to subscribe. If you like this video, give us a thumbs up. We'll see you next time on the SecurityQ. What is HTTP? Hypertext Transfer Protocol (HTTP) is the way servers and browsers talk to each other. It’s a great language for computers, but it’s not encrypted. Think of it this way. If everyone in the world spoke English, everyone would understand each other. Every browser and server in the world speaks HTTP, so if an attacker managed to hack in, he could read everything going on in the browser, including that Facebook username and password you just typed in. Hypertext Transfer Protocol Secure (HTTPS) is another language, except this one is encrypted using Secure Sockets Layer (SSL). Imagine if everyone in the world spoke English except two people who spoke Russian. If you happened to overhear them speaking in Russian, you wouldn’t understand them. It’s the same with HTTPS. If browsers use HTTPS to pass information, even if attackers manage to capture the data, they can’t read the information. Does that mean HTTP websites are insecure? The answer is, it depends. If you are just browsing the web, looking at cat memes and dreaming about that $200 cable knit sweater, HTTP is fine. However, if you’re logging into your bank or entering credit card information in a payment page, it’s imperative that URL is HTTPS. Otherwise, your sensitive data is at risk.
Watch the video response to this question below.
© SecurityMetrics | www.securitymetrics.com/pci | 801.705.5665 |
Hey guys. I was looking through our YouTube channel and noticed that we had a question from YouTube user Ronald Roberts. So this is a video response for you, Ronald. Here's Ronald's question. Does the presence of 's' mean the people running the website are trustworthy? I understand this keeps out third parties, but what about the website itself? I found a dental plan with many websites offering it. Some without 's'. I won't touch them. I'm still nervous about giving my data to a new-to-me site, even with 's'. Any information on this? Ronald that's a wonderful question and one I'm happy to answer. One that does get a little bit confusing so I'm gonna try to break down to simply as possible. So what you need to be worried about is web sites that you're going to and you're inputting sensitive information. Your information. If you're putting it in forms, so let's say a common might be your first name, your last name, social security number, any diagnosis information about yourself really anything you would deem sensitive, you wouldn't want to put that on a web page that didn't say HTTPS. If it says HTTP, when you click Submit on that webpage, what you're doing is you're sending that data in clear text. But if you're just browsing the web, reading information-only text on sites, or your favorite blog or website you enjoy you're okay to be on a site that's just HTTP. Some of the things you can do, you can ask if you're giving sensitive data, especially card information, you can ask to see their PCI compliance certificate. That will show that they have done everything they can to maintain the proper standards for their website. Another good point to make is that HTTPS is specific to the page you're on. Meaning that is really not universal for an entire website. That doesn't mean that the entire website isn't secured with HTTPS, but it also doesn't mean that it is. So anytime you're on a web form our web page that is asking you for sensitive data it is absolutely mission-critical that you make sure that site has HTTPS. If it doesn't, I would advise you not to put your sensitive data there. Well Ronald, we hope this was responsive and helpful. And as we always say, if you have any more questions, please ask. See ya next time. HTTPS is specific to the page you’re on. It’s not universal to a website. So it doesn’t really matter if the homepage of your favorite sweater website says HTTPS if their payment page doesn’t. When HTTPS fails HTTPS isn’t entirely 100% foolproof, as the Heartbleed vulnerability proved in April 2014. The Heartbleed vulnerability wasn’t necessarily a weakness in SSL, it was a weakness in the software library that provides cryptographic services (like SSL) to applications. Still, it is estimated that half a million secure web servers were affected. Luckily, most websites have since corrected that bug.
For a more complex look into how hackers use HTTP to capture data, check out this video.
© SecurityMetrics | www.securitymetrics.com/pci | 801.705.5665 |
Hey guys. Welcome to my office. So, I left the studio last week after filming our HTTP vs HTTPS episode. Like I usually do, I couldn't stop thinking about you and your security. Last time I discussed with HTTPS the security features of it, and the lack of security features with HTTP but I think it's important to understand what HTTP really does. So when you go to purchase a website or you're designing your own you're using a lot of different coding algorithms. HTTP's primary function is presenting data to you. And really just that. It takes the data and presents it, instructs it, and arranges it on a webpage. It's for quick efficient use for you to see as a consumer, or for customers to see it. But what it doesn't do is security. HTTPS uses SSL. SSL can be a self-signed SSL, can be created from a third party vendor, or may be something you get from your third party who web hosting company. But SSL uses a complex math algorithm to put the data in such a manner that it's either impossible to crack or makes it so difficult to somebody wouldn't want to try and crack it. The reason that hackers are able to take your data with HTTP, is because HTTP doesn't secure data. It's not designed to do that. Again it only shows you the data, it's quick and efficient. It makes the data look pretty essentially. What a hacker does is listen and look at the communications being sent from the website to whoever the recipient may be. We call that a man in the middle attack which may sound a little advanced, and I guess it is, but the data gets sent from point A to point B. What somebody does is they put themselves right in the middle of that communication That communication comes across sent via HTTP. That data is clear. So if I were to write my first and last name on a piece of paper it's clear. Anybody can read that. So if somebody gets in the middle of my communication, they are reading that in a clear. So if I'm putting my social security number, my banking information, my credit card information, my personal data, a man in the middle attack takes place and they're listening to it. Now they can still listen to that data in HTTPS, so again different scenarios. I put sensitive data on point A on a webpage, and I click submit. Once I click Submit it sends to point B. Now, the hacker is still listening to my data. He still captures that information. It's like taking a photograph. He takes a photograph, but when it's an HTTPS, the data comes across encrypted, and is nigh impossible to crack. So let me do a quick web search on SSL certificate. SSL certificate pulled up a lot of different companies that provide you with an SSL cert which gives you HTTPS, the lock. The sense of security with your customers. There's a lot of different ones here and these companies are actually experienced. So my recommendation to you is to work with a third party, you can work with companies on the internet or even work with your your vendor for security, like SecurityMetrics. One of the benefits are using a third party vendor for your SSL certificate, is that you get their experience and their knowledge in how to implement that. I've created a lot of web pages myself and I understand the complexities of implementing those and the fear of implementing it correctly. You definitely don't wanna purchase something or create something and put it on a web page and then not have it work. It really defeats the purpose. So working with another vendor is oftentimes the best way to go. As a business owner, you got a little worry about content on your website, the design of your website, who's coming to your website, people purchasing from your website. The last thing you should be worried about would be your security. So you take care of it right away, you can continue on doing business as usual. It takes care of itself. There's little to no management of an SSL certificate. It gets implemented on a web page and you forget about it. You need you to pay for working with the vendor, you'll have to pay to renew those things, but you can effectively forget about it and walk away. Now you can now you can focus on the way your webpage looks. Do you want pink, purple, brown? Does this webpage look better? Do you want scrolling images? Do I want to update my shopping cart? Now you're worrying about your compliance the third party vendor. You're worrying about all these different things. Take care of the easy things first. That's why the first thing I did was put a HTTPS on a website. I've worked in security for a number of years, and I can tell you from experience that when a merchant is compromised, it's oftentimes through a simple methods. It's oftentimes through a method that's overlooked. I could be from a small merchant or or some larger merchants you hear about in the news. It's oftentimes the simple things. You may not have an e-commerce website, or maybe you do. But it's important to remember to look at the small things. Oftentimes people won't shop with you if they don't see these simple methods done. It causes doubt. If they're not fixing the little things, what else is left to be done? What other security things are missing? you you can't describe it and that's something you can communicate to your customers. You can't communicate to your customers that your security posture is good if you're not fixing the simple things. With the advent of younger people going to school, with better technologies in our school systems, people are learning these simple methods and how to secure their data. That's not necessarily from a business perspective, it's is more from a consumer perspective. I know when I'm cruising the web, cruising the Internet, I will not purchase from somebody who does not have HTTPS on sensitive data pages. And I gotta be honest, I do most of my shopping online. For business owner, consequences vary. The consequence for having a compromise, they do very. That consequence could be loss of reputation, that consequence could be financial. It's not just necessarily the fees and penalties that you receive from your bank, or from Visa, MasterCard whoever accesses that penalty, that's not always the consequence. Part of that consequence is paying for a forensics investigator to come to your location that's not cheap. It's really not. Paying for a penetration tester to come and look, having audits, it puts you into a whole new bracket that no business owner should ever want. And that will really inconvenience you big time. Doing some the work early helps to mitigate that risk later. You don't have to think about it. You reduce your risk by doing easy work early. One of the things that I'll say, I've said before, is security doesn't have to be difficult. Remember when you working on security you gonna do it piece by piece. Start with the easy things. Work with your third party vendor. Get excited to make your customers data secure, because at the end of the day you're saving yourself, you're saving a customer, and then that's all we really want. Your security matters. Your security matters to us, and I hope your security matters to you. How can I make sure information stays secure? As a business: Work with a third party vendor to get an SSL certificate on your login and payment pages. As a consumer: Don’t enter your sensitive information on pages that don’t have HTTPS. No matter how much you want that sweater, compromised information isn’t worth it!Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.
Brand Barney (CISSP) is a Security Analyst at SecurityMetrics Twitter blog posts
Tweet