New! Hot off the press - view the July 2021 content updates Read more!

Does HTTPS Protect Your Privacy?

/ data privacy, web browsers

So, officially, the short answer is: not a lot directly, slightly more indirectly.

However, HTTPS remains important for security of your data transmitted from your browser to a website, which can have an impact on your privacy.

Let's have a look at how HTTPS may have an impact on online privacy.

What is HTTPS?

First, let's define the acronym: HTTPS = Hyper Text Transfer Protocol Secure

To really understand HTTPS, you should be aware that it is the "upgraded" form of regular HTTP.

https ssl tls

With standard HTTP, the exchange of information between your browser and a website's server(s) is sent in plaintext. in other words, the information is unencrypted.

With HTTPS, the information sent back and forth between your browser and the website is encrypted using SSL/TLS. This means that the data sent to the website is protected from prying eyes, such as network eavesdroppers and malicious tamperers.

Additionally, HTTPS requires the website to provide a signed certificate, which helps guarantee authenticity for the website itself.

Not that long ago, regular old HTTP was the complete norm. It still kind of is, but many more websites use HTTPS today. HTTPS has essentially become the "new norm."

However, for now, HTTP is still around enough... in fact, you probably still run into websites that use HTTP - your browser probably warns you that you're about to make an "unsecure" connection. Which is true.

NOTE: We didn't go into an overly detailed explanation of HTTPS here. This was intended to be more of an overview. If you're interested of learning more about HTTPS and how it works, then check out the wonderful resource of Wikipedia!

Why use HTTPS?

For starters, it's far more secure than regular HTTP.

As mentioned above, HTTPS provides two (2) key functions when your browser communicates with a website:

  1. Encrypts the data exchanged while in transit

and

  1. Helps verify the authenticity of the website itself

It's important to understand that regular HTTP provides neither (1) nor (2). Therefore, your connection and the data exchanged through the HTTP connection is far more vulnerable to the prying eyes of third parties.

Third parties are not just limited to would be "hackers" who may execute a textbook man-in-the-middle style attack. Third parties can include any interceptor that was not intended to be involved in the exchange between your browser and a given website.

Encryption

On both avoidthehack! and within the greater privacy community, you no doubt see encryption and its importance mentioned a lot.

That's because it's super important. Its importance can't be stated enough, which is why many of us privacy advocates stress encryption's importance.

padlock icon blue

You can think of encryption as a lock. Like a lock that secures your home, your car, or a safe. Naturally, there are different "tiers" of locks, with the highest tier typically providing the best security from outside forces.

Well, there you go - that's a simplified explanation of encryption.

Now, when we apply this to HTTPS within a browser you can look at it like this... the data sent between your browser and the intended web server is housed within a lock. Only your browser and the web server have the key to opening this lock and then reading the data.

Ultimately, this means that even if you did have an uninvited eavesdropper on your connection that they wouldn't be able to read the fine details of what was exchanged between your browser and the web server. This actually holds true even if the eavesdropper "stole" the packets.

Even when a safe is stolen, if the thieves never crack the lock, then the integrity of whatever is inside the safe remains protected. It's the exact same concept here.

Verifying authenticity of website

In addition to encryption, HTTPS also helps establish the authenticity of the website.

In other words, HTTPS helps prove that the website is who it says it is. This requires a helping hand from a trusted third party to sign the server side certificates.

https worldwide web

Think of it like providing ID upon request. Your form of ID should have been "signed" or "certified" by the issuing party - such as the government or whatever body "issued" it. This signature/certification gives legitimacy to the ID and by extension should be universal across all IDs.

It's the exact same with the server side certificates when dealing with HTTPS.

The certificate the web server provides has been signed by a (presumably) trusted third party. This signed certificate is proof that the website is indeed who it "says" it is.

Does HTTPS improve your privacy?

So, naturally, this is the golden question.

But the same answer remains: slightly, albeit indirectly.

First, it's important to understand that HTTPS fits better under the "security" umbrella than a strict "privacy" one. However, as you may already know, these two umbrellas frequently overlap though are not necessarily mutually inclusive.

Which is kind of the case when it comes to HTTPS.

See, as we know, using HTTPS encrypts data transmitted between your browser and websites and therefore protects the integrity of the data from potential viewing/modification by third parties. It also helps confirm that the website is authentic.

So, when you input payment information on a site like Amazon, the details of your payment information are safe from any eavesdroppers on the connection. Additionally, you can be reasonably sure that you were connected to the "real" Amazon.

online fraud vector

This all helps ensure that you're not forking over the likes of payment information and other sensitive PII (personal identifiable information), like your full address, to the wrong entity. It also helps ensure that the information you provided to Amazon isn't stolen/used/sold by bad actors.

However, just because you use HTTPS to connect to Amazon doesn't mean you're necessarily improving your online privacy.

Limitations

Continuing with the Amazon example above:

Sure, in this situation, your connection to Amazon is "secured" from third parties, but Amazon itself is still harvesting your data. They use all kinds of tracking methods to do so, of which HTTPS does nothing to defend against. They can still easily fingerprint you, taking advantage of the leaky nature of browsers (and some devices themselves) in general.

It's also important to understand that an HTTPS connection doesn't mean that the DNS request your browser makes is encrypted either - your DNS requests are still sent via plaintext, unencrypted. What's more is that if you're using your ISPs DNS servers, then your DNS traffic is being spoon-fed to your ISP.

Using HTTPS

The easiest way to take advantage of the benefits that HTTPS provides is to actively use it.

However, this can require users to remember to type https:// in the address bar or look for the presence of https:// before clicking a link. This is especially the case when either the regular HTTP version of a website is served without the website itself forcing an HTTPS connection.

Fortunately, most modern browsers out there today force HTTPS connections as a default. This takes the burden off users and webmasters alike (however, reputable sites should force HTTPS on the server side regardless).

The easiest way to take advantage of the benefits of HTTPS is to be sure that your browser is set to force HTTPS connections automatically. Privacy browsers do this as a default.

You can also make use of the EFF browser plugin, HTTPS Everywhere. What it does is in the name - it forces HTTPS for your browser connections across the board. This browser plugin is available for most browsers.

Final thoughts

avoidthehack's thoughts on HTTPS are simple...

  • Always use HTTPS
  • Be extremely cautious of sites that don't have HTTPS available

As always, stay safe out there!

Next Post Previous Post