“They are not all accounted for, the lost Seeing Stones. We do not know who else may be watching!” (Gandalf)*
Well, not until we add that letter s.
Today, I want to tell you about the s in https. All because we venture out online more than before, and the perils of this wandering around are also greater.
Last week I was listening to some webcasts on compliance—I’m sure I mentioned before—, and at point, I noticed that one of the presenters was sharing web links starting http:// instead of https://. Now compliance people are supposed to be very concerned with privacy and information security—and if a compliance expert neglects to check this, it must not be as generally known as I would expect or wish.
What is the big difference? Well, the letter s in https:// stands for security.
Let’s track back a bit, though.
Almost all web links begin with the word http. This is the language your web browser speaks with the web server that sends you the page you visit. In its original form, it’s out in the open for everyone to see. It isn’t encrypted, and you cannot even be sure that your browser is really speaking to the server that is in the address. This means that someone can eavesdrop on the exchange between your computer and server. They can also set up an online ‘impostor’ that impersonates the server—so you actually receive your page from someone else, not from the server you believe you’re talking to.
Why is this extremely dangerous? Well, today’s web pages are not just pieces of information sent to your screen. They work both ways. They almost always send information about you, your location, and your computer to the server—those are the cookies. This happens automatically, most of the time without your knowledge or consent. (These days, websites must usually ask for your permission, but it’s quite impossible to do in a way that most users understand.)
If that wasn’t enough, there are also forms—fields, buttons—on the webpage where you fill in information and send it “up”. If someone is eavesdropping—or worse, stands between you and the server—, you actually volunteer information to people you don’t mean to, and who have no business learning about you.
When you add the s, the language changes: an extra layer of encryption and authentication is added. This means two things: first, the communication between your browser and the server is encrypted. An eavesdropper can’t readily understand it, not without knowing the encryption key. Second, your browser gets assured that the server it’s talking to is actually the server you intend to talk to, and not some impostor.
Obviously, this is not the strongest encryption possible; but there is a world of a difference between a weak encryption and no encryption at all—because it takes some effort to hack into the data stream, as opposed to no effort at all.
Long story short, when you visit a web page, always check how the address starts. If it’s https://, you can stay and do whatever it is you do with that website. But if it’s http://, you get out of there as quickly as you can. (Your browser will usually show a padlock—if it’s red or crossed out, trouble lies ahead.)
Long story short, it isn’t OK to publish a website without encryption, and it isn’t OK to visit a website that has no encryption. This is especially true from the compliance perspective: there’s no way a server meets any security standards if it not locked down at least this way.
Be safe, everyone.
* This is from The Lord of the Rings: The Fellowship of the Ring the movie, not the book by J.R.R.Tolkien. Action movie language seems to suit this topic better than the poetic and mystical English in the books.