Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Are HTTPS Connections Really Safe?

//
I’m confused. I keep hearing that https makes your connection to a website “secure”. What does that mean? Does it mean I can trust the site I land on?

“Https”, or secure http, is an important part of keeping you and your data safe online.

But it’s only a part. Understanding what it does and does not do is important.

To begin with, https does two, and only two, things.

Become a Patron of Ask Leo! and go ad-free!

1: Data encryption

Encryption is simply a way of scrambling the information you exchange with a website so no one else can read it.

Data that you send — say an account name and password you enter in a login form — is encrypted and sent to the website, where it is decrypted so it can be used.

Data coming back — perhaps a page showing transactions in your checking account — is encrypted by the website, sent to your browser, and decrypted so it can be displayed.

httpsEncryption matters because only you and the website can understand the data. Anyone in between — say someone who’s monitoring the information going to and from your computer — sees only gibberish. It’s an important way to keep private data out of the hands of hackers and thieves.

2: Site validation

Https validates that the site you are connecting to really is the site you asked for.

The website using https has information, called a certificate, which can be checked and validated by trusted authorities. If that check fails, your browser will warn you. Perhaps the certificate has expired, or perhaps it doesn’t match the site you think you’re visiting. Both alerts should give you pause.

Most warnings turn out to be benign, but should not be ignored. The most common is a website’s owner forgetting to renew a certificate before it expires.1 The second most common is use of the wrong certificate for a site — say a certificate for somerandomservice.com being used on subdomain.somerandomservice.com — two different sites requiring two different certificates.2

But if you get a warning, and it’s not clear to you why, or if you’re not certain that it falls into one of those two common situations, don’t proceed. It’s possible that hackers have hijacked some portion of the path between you and the website, attempting to redirect you to their malicious alternative.

Validation is not absolute

This is important: https does not guarantee that a site is legitimate. It only tells you it’s the site you asked for. And while it does tell you that your data is encrypted and safe on its way to and from the site, it does not tell you what happens to your data after it reaches the site.

Any website owner can easily throw together https support. In fact, scammers do it all the time. If they fool you into going to a maliciously-crafted URL — say, something like

https://www.paypal.com.somerandomservice.com

thinking that you’re going to PayPal, the https icon will not tell you anything. All https will do is confirm that you have, indeed, gone to the site you asked for: www.paypal.com.somerandomservice.com.

Make sure you’ve got the website URL correct, and that they’re a legitimate business and the business you think they are. That’s what phishing scams are all about: getting you to visit sites that look legitimate, but aren’t.

A valid https connection does not help you tell the difference, because scammers can have those too.

Podcast audio

Play

Video Narration

Footnotes

1: Surprisingly easy to do, as it turns out. Which means, of course, that I’ve done it.

2: Or what’s called a “wildcard” certificate, as I use here on Ask Leo!, which is a certificate valid for *.askleo.com meaning {anything}.askleo.com.

28 comments on “Are HTTPS Connections Really Safe?”

  1. >Encryption is important because only you and the remote site can
    >understand the data. Anyone in between … say someone who’s
    >monitoring the information going to and from your computer … sees only
    >gibberish. It’s an important way to keep your private data out of the
    >hands of hackers and thieves.

    If someone was monitoring my computer, how could https tell my computer what password to use to encrypt and decrypt the data without the person monitoring also getting the password?

  2. Because those passwords are never sent. Using something called public key cryptography, the sender can encrypt something with the public key that can only be decrypted by the private key. The private key is never shared, and is part of what the certification process validates. Obviously it’s more complicated than that, but that’s the basic idea.

  3. when a sniffer is active on the machine where the browser is launched (to visit a site say a bank site), & if the https is being used, the sniffer will not be able to catch the data supplied from the browser -correct?

  4. If the sniffer is actually running on the machine with the browser, then all bets are off. It’s effectively spyware and can see everything.

    However a “sniffer” is typically a different computer “sniffing” the network, and https is the way to be safe.

  5. thanks Leo my life just got easier can you recomend a survey web sit that pays.???? and when they say spam free is it really spam free???

  6. I have a additional question. I understand that SSL is used to encrypt data as it is sent on a wire. But if I’m using a non-encrypted wireless access point, am I venerable to have my data sniffed between my laptop and my WAP? I understand without wireless encryption the data is sent through the airwaves in plain text.

  7. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    Bob’s example goes to “http” so of course it would NOT be
    encrypted.

    That same example, to a server that supports “https” would
    be encrypted.

    What matters is that the URL of the page getting the
    parameters, be it via a POST or a GET be an https URL.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIVUnKCMEe9B/8oqERAtd7AJ4xwKv/XGJLCt7cZVw5BsTgybqhmACfSgYT
    7LBS5HM9loiRsrnjTZwerhY=
    =swIp
    —–END PGP SIGNATURE—–

  8. THIS KEEP COMMING UP ON MY COMPUTER WHEN I AM E-MALE MY SON ON CORRLINK AND IT REALL GET ON MY NERVE IF I PUSH YES IT COME BACK AND IF I PUSH NO IT STILL DO THE SAME THING

  9. Why does Google calendar show a crossed out https in the URL bar (when browsing with Chrome)? What is crossed out https?

    I’ve never seen a crossed-out one. Right click on the padlock for more information.

    Leo
    12-Apr-2011

  10. HTTPS connection keeps popping every move I make on web page. It is becoming a nusicances can you help.

    I don’t understand. “Https connection” isn’t something that pops up. You’d need to provide more details including the full text of any error messages.

    Leo
    01-May-2011

  11. Okay – I’ve got to ask. Where do you get these really “cool” pictures such as the multi-colored locked HTTPS in your email. Do you draw them yourself or is there another source? They are very nicely done.
    As are your many helpful articles over the years. You’re my go-to web site when i have a question re a Windows PC. Thx.

  12. Hi Leo, I’ve always thought that providing the domain name comes first, no-one else can use that domain name. Your example of https://www.paypal.com.somerandomservice.com has surprised me, surely https://www.paypal.com MUST be paypal? and anything tacked onto that name, like somerandomservice.com is merely a link to a sub domain or other section of the paypal website, NOT to a spoof/scam/etc website?
    although I notice two .com’s in the url which I’ve never seen before
    Hope you can tell me where I’ve gone wrong
    Rob

    • The higher domain names are the names closest to the right. .com is the top-level domain. Somerandomservice is the domain name. Everything before those is a subdomain. The first .com is simply a subdomain. https://www.paypal.com is the legitimate URL for Paypal.

    • If I read Mark Jacob’s reply correctly, you’ve literally got the thing backwards: Interpretation of a URL begins at the end, and works its way back!

    • everything in front of (to the left of) somerandomservice.com is owned, controlled, and created by somerandomservice.com no matter what it looks like. This http://www.paypal.com.somerandomservice.com is under the control of somerandomservice.com. That’s how domains work. Everything to the left is a subdomain of somerandomservice.com. That there’s more than one “com” is actually irrelevant. It’s perfectly valid to have a domain like com.com.com.com.askleo.com. ๐Ÿ™‚ The one at the end is what makes it a “.com” site. Everything else is just a (poor) choice of naming.

  13. Hi Leo,
    There are some links from various senders that go to a page with an error message like. Hmm, I can’t seem to find that page, etc, etc. I use Mozilla Foxfire as my browser. Is this a problem with my browser, or something I may have changed in the setup menu? What can I do to be able to go to the links that are provided? Most if not all are links that I want to visit.

    • I’ve never had a problem with a browser not finding a URL. In almost all cases it’s that the link supplied is incorrect. In other words, there’s nothing you can do. It’s like if someone gives you a street address and you end up at an empty lot with a sign saying ‘This is an empty lot’.

  14. Leo, you wrote:

    “Any website owner can easily throw together https support.”

    Leo, if I wanted to start up as a proper “phisherman,” complete with “https//:” support, I wouldn’t even begin to know where to start!

    So I’m afraid I must question this.

    Mind: I can’t actually dismiss it — I don’t have enough information for that — but my “doubt flag” has been raised.

    I’m skeptical: Are certificate authorities really that lax? Is it really that inexpensive to obtain the proper certificate(s)? And, is it really that easy and simple to set up an “https//:” site?

    (All of these would seem to be prerequisites to the careless ease which your use of the phrase, “can easily throw together https support” would seem to imply.)

    Somehow, I doubt it’s quite so simple…

    • I would assume that Leo’s reference to “anyone” means anyone who is familiar with setting up a website, not anyone you come across at Walmart. Certainly any hacker will be very knowledgeable.
      Leo’s article explained this the under the heading of “Validation is not absolute”, saying that “https does not guarantee that a site is legitimate. It only tells you itโ€™s the site you asked for”.
      If you get connected to a phishing site, what https will do for you is to ensure that your personal information is transmitted to the phishing site securely!
      Take a look at this: https://smallbiztrends.com/2015/04/changing-from-http-to-https.html.

    • Actually it has become that easy. Many hosting services, in addition to providing you with a place to host your web site, will offer completely free https certificates without any additional work on your part. It’s all part of the LetsEncrypt initiative from the EFF. The good news is that if a web site enables this your communications with that web site are private. The bad news is that there’s little to no oversight to confirm that the owner is who they claim to be.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.