• HTTP and HTTPS

    A lot of times, people confuse HTTP and HTTPS. This is primarily because of the lack of understanding of a simple encryption based security mechanism that nearly all browsers can work with. HTTP is the protocol according to which your web browser transfers data to and from any web server, a computer that throws web pages and related information at you. HTTPS, is HTTP+(s)ecure, this mechanism is the same as HTTP, only that a pair of encryption keys, via certificates etc.. are used to setup an encrypted channel of communication between you and the web server.

    All this means is that you password and log in name and other data which you send to the server can’t be sniffed by someone in the middle.

    Keep in mind though that HTTPS is far from perfect. Someone with a lot of time to analyze the data stream, a good number crunching computer, some basic reverse hashing software can get through the layer of encryption. The point is, we “hope” to eliminate the case where just anybody can sniff your data.

    Furthermore, you should be concerned about login pages that do not use HTTPS. When you use HTTPS, you get more than just the encrypted transport layer. Just as importantly you get authentication. The HTTPS/SSL protocols involves verifying a trusted chain of certificates that prove the entity you are talking to is who they claim to be. However, it’s possible to have a page served up over HTTP that contains a form which posts info via an HTTPS page. An example is Google’s log in page. You have no way in this case though of verifying who you are talking to unless you dig a little deeper.

    Misconfiguration on the server side can also be a concern when using HTTPS. I remember from a post back in 2006/7 where a HostMonster server was displaying information about hosting accounts it should not have whenever anyone was trying to reach a site hosted by them using HTTPS. It was not entirely clear though where the problem lay.

    Read more:

    Till next time.