What does “safe” really mean?
“HTTPS”, or secure HTTP, is an important part of keeping you and your data safe online.
But it’s only a part. Understanding what it does and does not do is important.
To begin with, HTTPS does two — and only two — things.
Become a Patron of Ask Leo! and go ad-free!
The HTTPS protocol does exactly two things: it encrypts the data transferred between you and the HTTPS website, and it validates that you are looking at the site you requested. It does not confirm that you requested the site you think you did, and it does not confirm that the site is legitimate. Scammers can use HTTPS.
1: Data encryption
Encryption is simply a way of scrambling the information you exchange with a website so no one else can read it.
Data that you send — say an account name and password you enter in a log-in form — is encrypted and sent to the website, where it is decrypted so it can be used.
Data coming back — perhaps a page showing transactions in your checking account — is encrypted by the website, sent to your browser, and decrypted so it can be displayed.
Encryption matters because only you and the website can understand the data. Anyone in between — say someone who’s monitoring the information going to and from your computer — sees only gibberish. It’s an important way to keep private data out of the hands of hackers and thieves.
2: Site validation
HTTPS validates that the site you are connecting to really is the site you asked for.
The website using HTTPS has information, called a certificate, which can be checked and validated by trusted authorities. If that check fails, your browser will warn you. Perhaps the certificate has expired, or perhaps it doesn’t match the site you think you’re visiting. Both alerts should give you pause.
Most warnings turn out to be benign, but should not be ignored. The most common is when a website’s owner forgets to renew a certificate before it expires.1 The second most common is the use of the wrong certificate for a site — say a certificate for somerandomservice.com is used on subdomain.somerandomservice.com — two different sites requiring two different certificates.2
But if you get a warning, and it’s not clear to you why, or if you’re not certain that it falls into one of those two common situations, don’t proceed. It’s possible that hackers have hijacked some portion of the path between you and the website, attempting to redirect you to their malicious alternative.
Validation is not absolute
This is important: HTTPS does not guarantee that a site is legitimate. It only tells you it’s the site you asked for. And while it does tell you that your data is encrypted and safe on its way to and from the site, it does not tell you what happens to your data after it reaches the site.
Any website owner can easily throw together HTTPS support. In fact, scammers do it all the time. If they fool you into going to a maliciously-crafted URL — say, something like
and you think that you’re going to PayPal, the HTTPS icon will not tell you anything. All HTTPS will do is confirm that you have, indeed, gone to the site you asked for: www.paypal.com.somerandomservice.com.
Make sure you’ve got the website URL correct, and that they’re a legitimate business and the business you think they are. That’s what phishing scams are all about: getting you to visit sites that look legitimate but aren’t.
A valid HTTPS connection does not help you tell the difference, because scammers can have those too.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 4:09 — 2.0MB)
Subscribe: Apple Podcasts | RSS
28 comments on “Are HTTPS Connections Really Safe?”
>Encryption is important because only you and the remote site can
>understand the data. Anyone in between … say someone who’s
>monitoring the information going to and from your computer … sees only
>gibberish. It’s an important way to keep your private data out of the
>hands of hackers and thieves.
If someone was monitoring my computer, how could https tell my computer what password to use to encrypt and decrypt the data without the person monitoring also getting the password?
Because those passwords are never sent. Using something called public key cryptography, the sender can encrypt something with the public key that can only be decrypted by the private key. The private key is never shared, and is part of what the certification process validates. Obviously it’s more complicated than that, but that’s the basic idea.
when a sniffer is active on the machine where the browser is launched (to visit a site say a bank site), & if the https is being used, the sniffer will not be able to catch the data supplied from the browser -correct?
If the sniffer is actually running on the machine with the browser, then all bets are off. It’s effectively spyware and can see everything.
However a “sniffer” is typically a different computer “sniffing” the network, and https is the way to be safe.
Try wireshark as a sniffer or packet analyzer; If you pull up a browser and the sniffer is on that computer, you can see the IPs which are associated with the browser’s actions.
Often people use a tunnel or encrypted 3rd party service to protect them from snooping. Actually, this may not really protect them where an organization (read NSA, etc.) sniffs traffic from various POPs along the way. So the metadata may be collected and analyzed depending upon the degree of interest. Much has been automated into software.
thanks Leo my life just got easier can you recomend a survey web sit that pays.???? and when they say spam free is it really spam free???
I have a additional question. I understand that SSL is used to encrypt data as it is sent on a wire. But if I’m using a non-encrypted wireless access point, am I venerable to have my data sniffed between my laptop and my WAP? I understand without wireless encryption the data is sent through the airwaves in plain text.
Why don’t you answer Bob’s question?! I need to know! Are GET requests also encrypted?
—–BEGIN PGP SIGNED MESSAGE—–
Bob’s example goes to “http” so of course it would NOT be
That same example, to a server that supports “https” would
What matters is that the URL of the page getting the
parameters, be it via a POST or a GET be an https URL.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.7 (MingW32)
—–END PGP SIGNATURE—–
Why does Google calendar show a crossed out https in the URL bar (when browsing with Chrome)? What is crossed out https?
HTTPS connection keeps popping every move I make on web page. It is becoming a nusicances can you help.
Okay – I’ve got to ask. Where do you get these really “cool” pictures such as the multi-colored locked HTTPS in your email. Do you draw them yourself or is there another source? They are very nicely done.
As are your many helpful articles over the years. You’re my go-to web site when i have a question re a Windows PC. Thx.
Various stock photo services. Of late most have come from depositphotos.com. Thanks!
Hi Leo, I’ve always thought that providing the domain name comes first, no-one else can use that domain name. Your example of https://www.paypal.com.somerandomservice.com has surprised me, surely https://www.paypal.com MUST be paypal? and anything tacked onto that name, like somerandomservice.com is merely a link to a sub domain or other section of the paypal website, NOT to a spoof/scam/etc website?
although I notice two .com’s in the url which I’ve never seen before
Hope you can tell me where I’ve gone wrong
The higher domain names are the names closest to the right. .com is the top-level domain. Somerandomservice is the domain name. Everything before those is a subdomain. The first .com is simply a subdomain. https://www.paypal.com is the legitimate URL for Paypal.
Actually paypal.com is the legitimate root for paypal. They can (and do) have valid subdomains that are not www, but are still paypal.com.
If I read Mark Jacob’s reply correctly, you’ve literally got the thing backwards: Interpretation of a URL begins at the end, and works its way back!
Yes, you’ve read it correctly.
Correct. URL interpretation is right to left. .com first, then somerandomservice, then …. whatever follows to the left.
everything in front of (to the left of) somerandomservice.com is owned, controlled, and created by somerandomservice.com no matter what it looks like. This http://www.paypal.com.somerandomservice.com is under the control of somerandomservice.com. That’s how domains work. Everything to the left is a subdomain of somerandomservice.com. That there’s more than one “com” is actually irrelevant. It’s perfectly valid to have a domain like com.com.com.com.askleo.com. :-) The one at the end is what makes it a “.com” site. Everything else is just a (poor) choice of naming.
There are some links from various senders that go to a page with an error message like. Hmm, I can’t seem to find that page, etc, etc. I use Mozilla Foxfire as my browser. Is this a problem with my browser, or something I may have changed in the setup menu? What can I do to be able to go to the links that are provided? Most if not all are links that I want to visit.
I’ve never had a problem with a browser not finding a URL. In almost all cases it’s that the link supplied is incorrect. In other words, there’s nothing you can do. It’s like if someone gives you a street address and you end up at an empty lot with a sign saying ‘This is an empty lot’.
Definitely need more details but it sounds like the links are wrong, or the site you’re attempting to visit is broken in some way.
Leo, you wrote:
“Any website owner can easily throw together https support.”
Leo, if I wanted to start up as a proper “phisherman,” complete with “https//:” support, I wouldn’t even begin to know where to start!
So I’m afraid I must question this.
Mind: I can’t actually dismiss it — I don’t have enough information for that — but my “doubt flag” has been raised.
I’m skeptical: Are certificate authorities really that lax? Is it really that inexpensive to obtain the proper certificate(s)? And, is it really that easy and simple to set up an “https//:” site?
(All of these would seem to be prerequisites to the careless ease which your use of the phrase, “can easily throw together https support” would seem to imply.)
Somehow, I doubt it’s quite so simple…
I would assume that Leo’s reference to “anyone” means anyone who is familiar with setting up a website, not anyone you come across at Walmart. Certainly any hacker will be very knowledgeable.
Leo’s article explained this the under the heading of “Validation is not absolute”, saying that “https does not guarantee that a site is legitimate. It only tells you it’s the site you asked for”.
If you get connected to a phishing site, what https will do for you is to ensure that your personal information is transmitted to the phishing site securely!
Take a look at this: https://smallbiztrends.com/2015/04/changing-from-http-to-https.html.
Actually it has become that easy. Many hosting services, in addition to providing you with a place to host your web site, will offer completely free https certificates without any additional work on your part. It’s all part of the LetsEncrypt initiative from the EFF. The good news is that if a web site enables this your communications with that web site are private. The bad news is that there’s little to no oversight to confirm that the owner is who they claim to be.
I don’t think https websites are particularly safer than http websites. Nowadays, it’s those who take care of those websites who are creeping on to our lives, not only those hackers. So why bother?
Without https:, a sniffer can get your internet traffic right from the airwaves. Companies have safeguards against employee misuse of information. Sure, their systems aren’t perfect but nothing is perfect. I’ve been purchasing online since the late 90s and my accounts have been compromised only twice. One time was a credit card purchase, I think at a gas station and the other time was when someone forged checks with my account and routing numbers. It was https: which made my online purchases safer than checks or handing my credit card to someone.