Every time you visit a website, information is flowing between your device and a server out there somewhere. In the early days of the internet, most all that information was transmitted "in the clear," also known as "cleartext," meaning unencrypted. Cleartext, if intercepted, can be easily read. That means a third party could monitor the content you're accessing. That's kind of like someone knowing what books you've checked out of the library, and even what chapters you've specifically looked at. Creepy! Ain't nobody's business but your own. If that doesn't concern you, consider what happens when the data transmitted includes sensitive information like usernames and passwords.
That's why, in recent years, we've seen more and more sites serving content over a secure connection. The mechanics of these transactions are quite fascinating, but the important point is that the information flowing between you and the server is encrypted. If it's intercepted, it's going to be difficult for that mysterious third party to figure out exactly what content was being transmitted. In short, encrypted sites are much more secure.
Encryption is so easy and so valuable, in fact, that it's becoming the rule rather than the exception. Google (the most popular search engine) gives preference in its search results to sites that serve their content securely. Chrome (the most popular web browser) flags insecure sites. The web is in transition. Truly pervasive encryption is not here yet, but it looks like the way of the future.
CAT+FD got with the program last year. With some help from our friends in ITC, we started encrypting all content from cat.xula.edu. You probably never noticed, but that makes our site a little more secure than it was.
So how do you tell? How can the average user distinguish a site that's encrypted from one that isn't?
All About That S
Some of us are old enough to remember when we used to sound out every syllable of a web address, even those first few characters: H T T P colon slash slash. If you doubt that, I have historical evidence. Give a listen to this radio broadcast from 1995.
Sounds silly now, doesn't it? We gloss over the HTTP these days. It still shows up as part of a fully-formed web address, but for the most part it's simply implied these days, even taken for granted.
What those letters represent, however, is still there, still functioning: HTTP stands for HyperText Transfer Protocol, and it's the very mechanism by which most web data is transmitted.
There's another flavor of HTTP, an extension of the original protocol, adding one letter at the end: HTTPS, which stands for Hypertext Transfer Protocol Secure. As the name implies, it's an encrypted protocol. It's been around since the early days, though not formally specified until 2000, and it's gaining ground rapidly in recent years.
At first HTTPS was considered essential mainly for commerce. You don't want to use your credit card to buy anything online unless you are assured of some basic level of security. Eventually it became obvious that you need security anytime you are transmitting a username and password. And today, it's becoming the expectation for all websites of any stature. Most of the web traffic on today's internet flows via HTTPS rather than HTTP.
In other words, that little S should be telling you something: namely, that the data flowing to (and from) your browser is encrypted, relatively safe from prying eyes. It's become mighty important, that little S.
Ironically, it's gotten harder to even see the S.
That's because, in this day and age, a lot of web browsers don't show you the protocol information anymore, for reasons mentioned above. Here is how a web address using HTTP is displayed in three popular browsers:
And here's how that same web address looks when using HTTPS:
The browsers used in this example are, from top to bottom: Firefox, Safari, and Chrome (all on Mac OS).
Note the differences. Note especially that little padlock icon. That seems to be the only reliable visual indicator that you're in secure mode. In these examples, only Chrome draws attention to an insecure connection.
Despite what I said earlier, maybe it's not really all about that S. Maybe it's all about that padlock. Keep your eye out for it. Notice when it's there — and when it's not.
Lock It Down
You may wonder why all your web transactions aren't secure. That comes down to the host, the entity behind the web content you're accessing. The nature of the internet is such that almost anyone can set up a website, from national governments and mega-corporations to grassroots organizations and lone individuals. If your uncle's personal website isn't set up for secure transactions, maybe that's because Uncle Fred doesn't have the technical wherewithal to make it happen.
However, it's safe to say that any institution with even modest resources will be supporting HTTPS now or in the immediate future, if they care at all about their reputation.
Some sites you visit probably support both HTTP and HTTPS. You may not get the latter unless you ask for it. You can encrypt as much as possible by using a browser extension like the Electronic Frontier Foundation's HTTPS Everywhere, available for Chrome, Firefox, Opera and Android.
I've been using HTTPS Everywhere for the last year or so. I'm using it right now. It's a lightweight extension that runs seamlessly in the background, performing a basic function. When you follow a link that specifies an insecure (HTTP) connection, it just checks quickly to see if the site supports secure (HTTPS) connections. If so, it routes you to the encrypted connection accordingly, no muss, no fuss.
Just because you have an encrypted connection doesn't mean everything is safe and secure. You could be using HTTPS to access a site run by bad guys. You could still be subject to phishing schemes, exposed to malware, or generally degraded by prurient content. However, those same dangers exist (even more flagrantly) with plain old unencrypted HTTP. Simply put, encryption doesn't fix everything, but it's an improvement that we should all expect and demand.
It's also important to understand that the encrypted transaction is between your browser and the server you're accessing. To route you to that server in the first place, you generally request a domain name through your internet service provider. The content you're accessing from the site may be encrypted, but the specific domains you're visiting are likely still visible to your internet provider (and thus potentially other third parties, including bad actors). This is a significant security hole, as the domains one visits can be quite revealing. Recent studies have shown a surprising amount of information can be inferred about a person's behavior, even when all web traffic is encrypted.
There are ways to patch this gap, but that's a subject for another installment of "Just Encryption."