This is the second part of a multipart series on Internet Privacy and Security. Click Here to read the first part. In the first article in this series, we examined the anatomy of a web request, where the data goes before it reaches the target server, and why this communication is usually insecure. In this article, I will describe how we can ensure that our communications are secure even with the number of places our data moves through, focusing on the "https://" protocol (Transport Layer Security). As in the past, I will try to keep things as simple as possible, although I do intend on writing a more in depth article about the specifics of certificate based authentication in the future, so look out for that.
What is https?
There's a very good chance that you have heard of "https" or "the little lock icon" in your browser window to "make sure that the site is secure." Even though we see this all the time, most of us have no idea what these symbols and words actually mean. Let's start with "https." Https stands for "Hyper-Text Transfer Protocol Secure." Basically, it means that the connection to the target site is made in almost the same way as we discussed in the previous article, but with a few extra steps to ensure that the data that is communicated with the site is only viewable to you and them. Once a secure connection is made, your browser will show you the "lock" icon indicating that the communication is encrypted and that the site has been identified correctly. Here's a (simplified) breakdown of how this occurs:
Your computer contacts the site and expresses its intent to make a secure connection and it sends a set of security protocols that it supports.
The server responds and negotiates the encryption key with your browser (will be described in a future technical article)
Your browser verifies the certificate and the security of the connection. It then displays the lock icon
Everything from then on is encrypted when it travels across the internet during that session (unless you leave the secure page, or something happens to break the connection)
What Is Encryption?
So before we continue, let's talk about what exactly the word "encrypted" means. Encryption is the act of taking plain data (like the words you are reading now) and turning it into obscured data using one of many algorithms. Without going into detail about how they work, just know that most encryption algorithms use a secret "key" which is kind of like a password. The plain data and the secret key are combined using some fancy math to end up with random looking data that is (usually) meaningless without the secret key. If both sides of the communication know the secret key, they can send messages back and forth without anybody in between knowing what they say, even if they can read the scrambled data. Think of it like putting something in a locked box before you send it to somebody through the mail service (something that I wouldn't recommend doing unless you're looking for trouble). If you have the key to the lock, and the other person has the key to the lock, then you can send the information in the locked box and nobody else can open it up in between, no matter who handles it.
So What Does This All Mean to You?
Basically, when you are communicating with a website using https, your traffic is still viewable by all of those "hops" in between you and the website (see the First Article). The difference is, that this data is completely scrambled and useless to the devices in between. This is important because this makes data like passwords, bank account information, credit card numbers, social security numbers, etc. securely transmittable over the internet. How secure is this method of data transmission? The average secure connection uses 128-bit encryption keys. This means that there are 3.40282367 × 10^38 possible encryption keys. Let's visualize that number a little better:
340,282,367,000,000,000,000,000,000,000,000,000,000 possible keys
It is widely accepted that with the current state of technology, it is nearly (always have to leave the possibility of the unknown) impossible to break the encryption used to communicate securely over the internet. So the bottom line is, that in order to ensure that our data is safe while traveling across the internet, it must be encrypted.
When is data encrypted over the Web?
Generally, sites that want the user's data to be secure (login pages, banking, etc.) will automatically redirect you to an "https" site once you visit the site over "http." If you see the "https" before the address, the lock icon, and lately a green colored address bar, your connection should be good to go. Usually double or single clicking the lock icon will give you more information about the connection, and can be used to verify the security of the site. But what about sites that do not use encryption by default? Is it possible to force them to? In most cases, the answer is yes. Simply adding the "s" to the end of the "http" in the address bar and then pressing enter will request a secure connection to the site you are viewing. Some sites, however, will simply ignore that fact and bring you back to the insecure site. One notable example of this is Facebook. The main page will attempt to load with https, but will fall back to http once the page has loaded.
Google will not give you an https page for search or search results, however Gmail has the option to be transmitted over https. Update: Google now supports https search via https://www.google.com. Many sites have the option, all you have to do is try.
Why doesn't every site just use encryption?
The actual process of negotiating a secure connection uses a lot more resources and bandwidth than a normal connection does. For most information, a secure connection is overkill. Sites like Google and Facebook most likely do not use security because of the massive user-base and the sheer number of connections per second that they handle. To encrypt every connection would require more than twice the processing power of servers that are already probably strained under the heavy load. Unfortunately, it's up to the site owner to determine when to use encryption, and all you can do is try to use https instead of http and see what happens.
Overall, the best thing that we, as users, can do to try to secure our connections over the internet is to simply try to get an https connection on the sites that we visit. I have discussed how encryption works, the steps to a secure connection, and also how we can try to use secure connections on sites that are not intended for it normally. In the next part of the series I intend to discuss other secure means of communication on other protocols (AIM, Skype, etc.). Please leave a comment if you have any questions, or if you just want to voice your opinion.