What does “safe” really mean?
“HTTPS”, or secure HTTP, is an important part of keeping you and your data safe online.
But it’s only a part. Understanding what it does and does not do is important.
To begin with, HTTPS does two — and only two — things.
Become a Patron of Ask Leo! and go ad-free!
The HTTPS protocol does exactly two things: it encrypts the data transferred between you and the HTTPS website, and it validates that you are looking at the site you requested. It does not confirm that you requested the site you think you did, and it does not confirm that the site is legitimate. Scammers can use HTTPS.
1: Data encryption
Encryption is simply a way of scrambling the information you exchange with a website so no one else can read it.
Data that you send — say an account name and password you enter in a log-in form — is encrypted and sent to the website, where it is decrypted so it can be used.
Data coming back — perhaps a page showing transactions in your checking account — is encrypted by the website, sent to your browser, and decrypted so it can be displayed.
Encryption matters because only you and the website can understand the data. Anyone in between — say someone who’s monitoring the information going to and from your computer — sees only gibberish. It’s an important way to keep private data out of the hands of hackers and thieves.
2: Site validation
HTTPS validates that the site you are connecting to really is the site you asked for.
The website using HTTPS has information, called a certificate, which can be checked and validated by trusted authorities. If that check fails, your browser will warn you. Perhaps the certificate has expired, or perhaps it doesn’t match the site you think you’re visiting. Both alerts should give you pause.
Most warnings turn out to be benign, but should not be ignored. The most common is when a website’s owner forgets to renew a certificate before it expires.1 The second most common is the use of the wrong certificate for a site — say a certificate for somerandomservice.com is used on subdomain.somerandomservice.com — two different sites requiring two different certificates.2
But if you get a warning, and it’s not clear to you why, or if you’re not certain that it falls into one of those two common situations, don’t proceed. It’s possible that hackers have hijacked some portion of the path between you and the website, attempting to redirect you to their malicious alternative.
Validation is not absolute
This is important: HTTPS does not guarantee that a site is legitimate. It only tells you it’s the site you asked for. And while it does tell you that your data is encrypted and safe on its way to and from the site, it does not tell you what happens to your data after it reaches the site.
Any website owner can easily throw together HTTPS support. In fact, scammers do it all the time. If they fool you into going to a maliciously-crafted URL — say, something like
and you think that you’re going to PayPal, the HTTPS icon will not tell you anything. All HTTPS will do is confirm that you have, indeed, gone to the site you asked for: www.paypal.com.somerandomservice.com.
Make sure you’ve got the website URL correct, and that they’re a legitimate business and the business you think they are. That’s what phishing scams are all about: getting you to visit sites that look legitimate but aren’t.
A valid HTTPS connection does not help you tell the difference, because scammers can have those too.