What Does HTTPS Get Me Then?
When done right, HTTPS (HTTP over Transport Layer Security … TLS) provides the following benefits:
- Often, it’s faster - https://samrueby.com/2015/01/26/why-is-https-faster-than-http/
- The network can only see the domain, not the absolute URL in your request
- The network only sees encrypted data, which it does not have the key to decrypt
- Since it can’t be viewed, your data also cannot be tampered
- You get [some] verification that who you are connecting to really is who you wanted to connect to
A shorter version is that HTTPS (done right), gets you:
- Confidentiality (no one snoops your data)
- Integrity (Your data is not tampered)
- Authentication (You can trust that data came from where you thought it did)
HTTPS puts your data in an envelope, and not just any envelope! It goes in an envelope that only the the recipient can open. The recipient can also verify that it came from the sender from whom they expected.
As I rambled on with the student from my class about ‘why https’, he asked about motivation to go through the effort to get this working over TLS (i.e. get a certificate and force clients to connect using TLS connections). In other words, what was the [monetary] benefit for the business for implementing TLS? To be blunt, it’s not going to make you any money. However, would you send that data on a post-card? Would your competitor like to access that data? Are you certain that all the nodes across which your data travels don’t have anything eavesdropping on them? (Answer: most likely they do nowadays.) What would happen if a customer found their data which you were handling was eavesdrop-able? What’s it worth to ensure that doesn’t happen?
What Does HTTPS Not Get Me
HTTPS only ensures privacy of your data in transit. There are many other things to truly make your application secure. In fact, I often wish we could say HTTPE (HTTP Encrypted) or (HTTPP HTTP Private). Of course, this may also blind your network in some cases (that was the intent actually) to nefarious activity against your site/app. HTTPS does not ensure access control is done right, that passwords aren’t dumped or brute-forced or the like. You still need to take positive steps to control those aspects of security.
Links, you said?
That’s about all the time you and I have today, but on another occasion, maybe we can talk about HSTS, HPKP and other scary acronyms and abbreviations. So, here’s the promised links if you would like to look deeper into TLS / Encryption / HTTPS:
- https://www.ssllabs.com/ssltest/ (test your site’s cert.)
- https://letsencrypt.org/ (free, automated ‘DV’ certificates)