Many of us browse the internet for a wide variety of reasons, whether that is to consume news content on trending topics, to purchase our must-have items or to see what our friends and family are up to on social media. While browsing the internet through various sites for one reason or another you will no doubt have noticed the website address often looks something like this: https://examplesite.com.
This is also known as the URL (Uniform Resource Locator) or as they are also commonly known as the web address for a site. Below are some more examples:
Apart from the actual website name such as BBC news or Vulnweb, it may not look like there are any significant differences but there are. One is secure, meaning any data you submit is encrypted in transit, and one is not, and it is sent in plain text. Even though “not secure” appears in the web address example (c) this is not always how it is displayed and it can often be overlooked.
Notice the HTTP or HTTPs at the start, HTTP and HTTPS are two different protocols that are used to transfer data over the internet. HTTP is the older protocol, and it is not secure. HTTPS is the newer protocol, and it is secure. There is also a third HSTS: HSTS is a security mechanism that helps to ensure that websites are always accessed over HTTPS.
More about HTTP:
HTTP stands for Hypertext Transfer Protocol. It is the most common protocol used to transfer data over the internet. HTTP is a plain text protocol, which means that all data that is transferred is unencrypted. This is risky from a security standpoint as this makes HTTP vulnerable to attacks such as eavesdropping and man-in-the-middle attacks. If you were to login to a website that uses HTTP, your login credentials are easily visible to attackers! Therefore, it is important to look for HTTPS or the padlock sign, when using any site that requires the input of any sensitive information.
More about HTTPS:
HTTPS stands for Hypertext Transfer Protocol Secure. It is a secure version of HTTP. HTTPS uses Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt data that is transferred between a web server and a web browser, and, for user benefit, authentication of the server. This makes HTTPS much more secure than HTTP.
It is important to check which version of the protocol is being used when browsing the web and inputting sensitive data. In recent years, browser developers have made great efforts to protect users against rogue servers. The best things you can do are (1) update regularly to the latest version of the browser, and (2) watch carefully for prompts from the browser screen itself. A new version of each browser is available approx. every month. Not keeping your browser up to date is quite rightly an automatic failure on Cyber Essentials.
More about HSTS:
HSTS stands for HTTP Strict Transport Security. It is a security mechanism that helps to ensure that websites are always accessed over HTTPS. Popular social media sites such as Facebook or Twitter use HSTS. HSTS works by telling web browsers to always use HTTPS when connecting to a particular website. This prevents attackers from redirecting users to a malicious HTTP website, or a HTTP version of the website. Attackers can use various methods to downgrade the security of the HTTPs protocol known as a downgrade attack, leaving you susceptible to having your data stolen. HSTS ensures that this cannot happen. However, you still need to be vigilant as attackers can still attempt to redirect you to a spoofed version of the site, so it is imperative to check the web address to ensure it is correct. For example if you’re trying to navigate to facebook.com ensure it says that in the web address and not something similar like "facebook.corm", a detail that is very easy to overlook, especially if you are not looking for it.
The Importance of Security Certificates:
Thanks to recent advances in browser technology and associated protocols. When users visit a website, they assume that their personal information will be safe, but this will only be a safe assumption if they use the latest browser version and are vigilant regarding browser screen prompts.
HTTPS is not the only element of a website ensuring security though, a valid website certificate is also another important feature, which will be discussed in a future blog post.
Useful Links:
Here are some additional resources on HTTP, HTTPS, and HSTS:
HTTP Strict Transport Security (HSTS) - Wikipedia: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
HTTP Strict Transport Security - The HTTPS-Only Standard: https://https.cio.gov/hsts/
HTTP Strict Transport Security - MDN Web Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Downgrade attack:
https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/
Comments