Why the “s” in HTTPs is important

Using secure HTTP is especially important when using wireless in a public place.

authorwifi

Author multitasking at daughter's gymnastics practice

Credit: John Busso
RELATED TOPICS

Who among us doesn't connect to public WiFi in the airport or at a coffee shop. One of the conveniences of the modern world is being able to connect wherever you are. But using secure HTTP is especially important when using wireless in a public place. 

When you connect to a server using HTTPs, the “s” stands for secure. More specifically, your HTTP request is using Secure Sockets Layer (SSL). SSL is a protocol used to secure communications between a client and server. The protocol employs encryption to keep eavesdroppers from “hearing” your conversation. It also keeps a Man-in-the-Middle (MITM) hacker from hijacking your conversation. The hacker that perpetrates a MITM can feed you false info and gather info from you that you assume is protected. We will come back to the risks of not using a secure connection later. First let’s discuss how SSL works.

You take it for granted that when you select a shortcut or start typing "Facebook", that you automatically connect to Facebook quickly and securely. But a lot needs to happen during this quick process which you take for granted. First your browser resolves the website’s name to an IP address using Domain Naming Service (DNS). Once you communicate with the DNS server you will many times be redirected to a secure connection, even if you typed http://.

Now is when the interesting part begins. When the server replies to the HTTP request, it replies first with a server certificate. This certificate contains information important to setting up the encryption strength and type of encryption. But most importantly it contains a use type and Certificate authority (aka, issuing authority). In this case the type is “server certificate” and the issuing authority is DigiCert. Since DigiCert is trusted by the major browsers (Explorer, Chrome and Firefox) there is already a trusted root certificate in your browser that certifies or verifies that the certificate presented by Facebook can also be trusted. Now that the connection is verified, the key can be exchanged via the SSL tunnel. At this point the client and server begin building an encrypted tunnel using the public key and private keys. You are now connected securely to https://facebook.com.

2 online banking Thinkstock

Even if you trust the security that a secure SSL connection offers via HTTPs, there is still a chance that you could be duped, though it is quite small. However, if you are using HTTP at a hotspot, your information is traveling unencrypted across the air. The reason is that by its very nature hotspots or guest networks need to be open (unencrypted) because if the pre-shared key is exposed to everyone then you need only to possess the key and you can successfully decrypt all traffic.

So watch what info you share at the local coffee shop or hotel. When you use unsecured servers (HTTP) do not share personal info. Be careful what media you share. Take care in sending a password or social security numbers.  

https John Busso

The message you get when something not right with the server certificate

Now let's say you are at the coffee shop and try to connect to any of the more popular banking institutions with online banking. If you are not sure who you are connecting to and it is not an SSL connection to the splash page to accept the terms-of-use, there is a chance you will be compromised. Let's say I am in the diner next door or in the parking lot with a laptop running unix. I can broadcast an SSID and issue IP address info and a DNS server with a free DHCP server running on the same laptop. I can poison your DNS and direct you to a bogus IP address for which a webpage will reply with any number of banking institutions. When you enter your credentials I collect them and you are compromised. Yes, it is pretty scary.

Even less far-fetched is that the coffee shop has an open network and whatever data you send wirelessly, (if SSL is not used) I can set my packet analyzer to collect your packets and decode them to reveal your data. So enjoy the convenience of pervasive public WiFi but proceed with caution!  

This article is published as part of the IDG Contributor Network. Want to Join?

RELATED TOPICS
The brave new world of Windows 10 license activation
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies