HTTPS, the lock icon in the address bar, an encrypted website connection — it’s known as many things. Knowing what it means is important, as it has serious implications banking online, shopping, and avoiding phishing.
When you connect to most websites, your web browser uses the standard HTTP protocol. HTTPS is the secure, encrypted counterpart to HTTP — it literally stands for “HTTP Secure,” which is “Hypertext Transfer Protocol Secure.”
In short, HTTP has problems because HTTP connections are never encrypted. HTTPS adds encryption in an attempt to fix these problems.
How HTTPS Solves This ProblemHTTPS isn’t perfect, but it’s certainly much more secure than HTTP. When you connect to an HTTPS secured server — secure sites like your bank’s will automatically redirect you to HTTPS when you attempt to log in — your web browser checks the website’s security certificate and verifies it was issued by a legitimate certificate authority. This helps you ensure that, if you see “https://bank.com” in your web browser’s address bar, you’re actually connected to your bank’s real website — the certificate issuing authority vouches for them. Unfortunately, certificate authorities sometimes issue bad certificates and the system breaks down. Although it isn’t perfect, the presence of HTTPS is still helpful.
When it comes time to log in or send other personal data like a credit card number and payment details, this data should be sent over an encrypted connection with HTTPS. This prevents other people from eavesdropping on your sensitive data.
HTTPS also provides additional privacy. For example, Google’s search engine now defaults to HTTPS connections. This means that people can’t see what you’re searching for on Google.com — previously, anyone on the same Wi-Fi network would be able to see your searches. If a connection to Wikipedia is encrypted with HTTPS, people wouldn’t be able to see which article you’re viewing on Wikipedia. They could only see that you’re connected to Wikipedia.
Identifying HTTPS WebsitesYou can tell you’re connected to a website with an HTTPS connection if the address in your web browser’s address bar starts with https://. You’ll also see a lock icon, which you can click for more information about the website’s security. This looks a bit different in each browser, but all browsers have the https:// and lock icon in common.
When You Should CareHTTPS is important whenever you’re logging into something or giving payment details. If you’re about to enter a password or other personal information, check your address bar and ensure that you’re on an HTTPS site. If you’re not, it’s not really safe to enter such sensitive data. Most websites should be doing this properly now, but a badly coded site may still send your sensitive data in unsecured plain-text if it’s set up to connect over HTTP.
HTTPS is also valuable because it provides some verification of website identities. If you’re using an unfamiliar network and you connect to your bank’s website, ensure that you see the HTTPS and the correct website address. This helps you ensure that you’re actually connected to the bank’s website, although it’s not a foolproof solution. If you don’t see an HTTPS indicator on the login page, you may be connected to an impostor website on a compromised network.
Avoiding Phishing TricksSome clever phishers have realized that people look for the HTTPS indicator and lock icon and may go out of their way to disguise their websites. You shouldn’t click links in phishing emails — but, if you do, you may find yourself on a cleverly disguised page. Nothing stops a scammer from getting a certificate for their scam server, so there’s nothing to stop scammers from using HTTPS as well — in theory, they’re only prevented from impersonating sites they don’t own. You may see an address like https://bankofamerica.com.3526347346435.com. In this case, you’re using an HTTPS connection, but you’re really connected to a subdomain of a site named 3526347346435.com — not Bank of America.
Other scammers may imitate the lock icon, changing their website’s favicon that appears in the address bar to a lock to try to trick you.
Bear in mind that the presence of HTTPS itself isn’t a guarantee a site is legitimate. It confirms you’re using an encrypted connection and provides some peace of mind that you’re connected to the right site, but even that isn’t completely guaranteed.