Fact Check

http vs. https

Article explains the difference between http and https protocols.

David Mikkelson

Published Jan. 6, 2009

Claim:

Claim:   Article explains the difference between http and https protocols.

TRUE

Example:   [Collected via e-mail, January 2009]


The main difference between https:// and https://

FIRST, MANY PEOPLE ARE UNAWARE OF

**The main difference between https:// and https:// is It's all about keeping you secure**

HTTP stands for HyperText Transport Protocol, Which is just a fancy way of saying it's a protocol (a language, in a manner of speaking) for information to be passed back and forth between web servers and clients. The important thing is the letter S which makes the difference between HTTP and HTTPS.

The S (big surprise) stands for "Secure". If you visit a website or webpage, and look at the address in the web browser, it will likely begin with the following: https://.

This means that the website is talking to your browser using the regular 'unsecure' language. In other words, it is possible for someone to "eavesdrop" on your computer's conversation with the website. If you fill out a form on the website, someone might see the information you send to that site.

This is why you never ever enter your credit card number in an http website! But if the web address begins with https://, that basically means your computer is talking to the website in a secure code that no one can eavesdrop on.

You understand why this is so important, right?

If a website ever asks you to enter your credit card information, you should automatically look to see if the web address begins with https://. If it doesn't, there's no way you're going to enter sensitive information like a credit card number.

PASS IT ON (You may save someone a lot of grief).


 

Origins:   The information presented above (which was penned by Douglas Twitchell and posted to his web site in 2007) is generally correct: Accessing a web site through a URL that begins with the https:// protocol identifier indicates that information is being transmitted via Secure HTTP (S-HTTP) or Secure Sockets Layer (SSL), protocols which encrypt information passed between a client (browser) and a

server (web site). It is especially important to ensure a secure protocol is in use on web pages that process functions (such as online purchases and bank transactions) involving the transmission of credit card numbers, account numbers, Social Security numbers, PINs, and other sensitive personal information in order to prevent electronic eavesdroppers from snooping on web activity and thereby gaining access to (unencrypted forms of) such data.

Certainly using an unsecure (https://) connection to send sensitive information is a situation best avoided. However, due to proliferation of digital spoofing schemes, a secure (https://) connection is not necessarily an absolute guarantee of safety — when engaging in financial transactions over the Internet, you should still take steps to ensure you are dealing with a reputable entity, and that you are actually connected to a web site operated by the entity you are dealing with (rather than a look-alike site set up as a deception by cybercrooks).

A February 2011 alert warned that:



While on Facebook, look at your URL address; if you see http: instead of https: then you don't have a secure session and you can be hacked. Go to Account | Account Settings | Account Security and click Change. Check at least the first setting, FB defaults to the non-secure setting.

In general, something Facebook users might need to be concerned about is session hijacking (also known as sidejacking), a technique by which malicious users on public networks (such as Wi-Fi hotspots) intercept other people's session cookies to gain unauthorized access to their accounts. Although login passwords are typically encrypted to protect them from being grabbed off a network, session cookies are not always as well protected, making users of public networks who surf sites which do not employ SSL or encrypting protocols vulnerable to snooping programs such as Firesheep:



Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots. But a free program called Firesheep has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited.

While the password you initially enter on Web sites like Facebook, Twitter, Flickr, Amazon, eBay and The New York Times is encrypted, the Web browser's cookie, a bit of code that that identifies your computer, your settings on the site or other private information, is often not encrypted. Firesheep grabs that cookie, allowing nosy or malicious users to, in essence, be you on the site and have full access to your account.

The only sites that are safe from snoopers are those that employ the cryptographic protocol Transport Layer Security or its predecessor, Secure Sockets Layer, throughout your session. PayPal and many banks do this, but a startling number of sites that people trust to safeguard their privacy do not. You know you are shielded from prying eyes if a little lock appears in the corner of your browser or the Web address starts with "https" rather than "http."


(Facebook users should note that some applications may not function properly if the https protocol is enabled.)

Last updated:   25 February 2011

Sources:




    Murphy, Kate.   "New Hacking Tools Pose Bigger Threats to Wi-Fi Users."

    The New York Times.   16 February 2011.


By David Mikkelson

David Mikkelson founded the site now known as snopes.com back in 1994.

Article Tags

Internet ASP Article