Hi, Leo, when I logged on to eBay it’s using https. But when I then move off the sign-in page, it’s evidently no longer https; it’s plain old http. If we’re traveling and we use Wi-Fi, will our eBay activities be secure?
Your instincts are right. An http page does not provide a secured connection. This is a very important thing to realize about the difference between http and https. The fact that eBay uses https for the login means that yes; your login at least is protected. That means someone in an open Wi-Fi hotspot, or with some other kind of network access, can’t easily sniff the traffic and determine your eBay login credentials. That’s a good thing.
However the fact that after you log in it switches back to http means that the rest of your activity is not protected by encryption.
When I travel and use a site like Hotspot Shield or another service, how does my information get encrypted? Does the site send an encryption key that encrypts my data before it leaves my computer and then decrypts it with a key only it and my computer knows?
I have the same question regarding my “secure” online banking transaction when I’m at home on my secured wireless network. Does the bank send my computer a key to encrypt my data before it leaves my computer to go through my secured wireless LAN? I plan to travel overseas shortly and I’m very concerned about using my computer for sensitive transactions while overseas.
You’re mostly right, but you’re also overlooking an important step in that process. How do you exchange that encryption key securely before the encryption has been set up?
In other words, how do you send someone a password securely if the only thing that they would have to make it secure is knowing that password before they got it?
The problem is that you need to encrypt to exchange data securely, but you can’t encrypt until you’ve exchanged the encryption key. It’s a classic chicken and egg problem.
Let me explain what happens here at a very high level.
I’m using a website to confirm a rental and they require some personal information. I’m pretty confident in the company. I noticed the page for this added info was only an http site – no “s.” To see what would happen, I typed an “s” after the http, pressed Enter, and the page flickered like it was reloading, but there it was – same page but now with an https. Did this work? Could it really be that easy to get a secure page? Or did my browser just fool me? I tried an F5 refresh and the https remained. What do you think? Am I safe and secure now?
Adding an s to the http to make it secure is interesting. It’s tempting to see what will happen when you try it. But even when it works, I have some concerns.
Before I make any transaction with my credit card, I always look at the address bar at the top to see if it begins with https and that there’s a closed golden padlock at the extreme right of the bar. Then and only then will I proceed. Recently, I’ve come across a couple of trusted and/or reputable sites which do exhibit the https part, but the padlock is missing. Instead, they have sort of a reassurance like “your order is safe and secure with all SSL 128 or 256 blah, blah” lower down where you enter all of your personal details and credit card number. Now what would I like to know is this safe? Even though the vendor’s site is reputable and it’s recommended by an equally reputable person? At the best of times, I’m rather paranoid about giving my personal details to an invisible entity so when it comes to credit card details and such, my distrust knows no bounds. Am I being overly cautious or am I being justified somewhat reticent?
You’re justified in asking these questions. I suspect that there’s actually something that you’re missing on screen, which is fine.
I do want to cover just exactly what that padlock does (and does not) mean and what the https is all about.
I ‘manage’ the website for a small non-profit. My Dreamweaver and HTML skills are just enough to stay ahead of the Executive Director’s requests. They have asked if we can switch to an https secure site – with all pages being HTTPS. How does one do that? The HTML does not seem to change, but there must be something that tells the browsers to switch to encrypted communication.
Actually, it’s the browser that makes the request for an encrypted connection.
When you specify HTTPS to connect to a website, the actual connection requested by the browser is different. That’s something that you need to set up on your site – and you’re quite correct. The HTML doesn’t need to change for that.
What needs to change is how your website is hosted. Unfortunately, how you specify that your site supports HTTPS is not something that is standard.