Are HTTPS Connections Really Safe?


I’m confused. I keep hearing that https makes your connection to a website “secure”. What does that mean? Does it mean I can trust the site I land on?

“Https”, or secure http, is an important part of keeping you and your data safe online.

But it’s only a part. Understanding what it does and does not do is important.

To begin with, https does two, and only two, things.

1: Data encryption

Encryption is simply a way of scrambling the information you exchange with a website so no one else can read it.

Data that you send — say an account name and password you enter in a login form — is encrypted and sent to the website, where it is decrypted so it can be used.

Data coming back — perhaps a page showing transactions in your checking account — is encrypted by the website, sent to your browser, and decrypted so it can be displayed.

Encryption matters because only you and the website can understand the data. Anyone in between — say someone who’s monitoring the information going to and from your computer — sees only gibberish. It’s an important way to keep private data out of the hands of hackers and thieves.

2: Site validation

Https validates that the site you are connecting to really is the site you asked for.

The website using https has information, called a certificate, which can be checked and validated by trusted authorities. If that check fails, your browser will warn you. Perhaps the certificate has expired, or perhaps it doesn’t match the site you think you’re visiting. Both alerts should give you pause.

Most warnings turn out to be benign, but should not be ignored. The most common is a website’s owner forgetting to renew a certificate before it expires. The second most common is use of the wrong certificate for a site — say a certificate for somerandomservice.com being used on subdomain.somerandomservice.com — two different sites requiring two different certificates.

But if you get a warning, and it’s not clear to you why, or if you’re not certain that it falls into one of those two common situations, don’t proceed. It’s possible that hackers have hijacked some portion of the path between you and the website, attempting to redirect you to their malicious alternative.


Validation is not absolute

This is important: https does not guarantee that a site is legitimate. It only tells you it’s the site you asked for. And while it does tell you that your data is encrypted and safe on its way to and from the site, it does not tell you what happens to your data after it reaches the site.

Any website owner can easily throw together https support. In fact, scammers do it all the time. If they fool you into going to a maliciously-crafted URL — say, something like

https://www.paypal.com.somerandomservice.com

thinking that you’re going to PayPal, the https icon will not tell you anything. All https will do is confirm that you have, indeed, gone to the site you asked for: www.paypal.com.somerandomservice.com.

Make sure you’ve got the website URL correct, and that they’re a legitimate business and the business you think they are. That’s what phishing scams are all about: getting you to visit sites that look legitimate, but aren’t.

A valid https connection does not help you tell the difference, because scammers can have those too.

Originally published as Are HTTPS Connections Really Safe? on Ask Leo!