More than half of the most popular websites in the world still do not have HTTPS enabled. What is HTTPS? In a nutshell, it’s the protocol that ensures an encrypted connected between your browser and the website. Also called SSL or TLS, HTTPS is the backbone of secure web browsing, but far from the only tool needed to ensure privacy and security. With HTTPS properly enabled, you can be sure that no one can “read” the data you transmit to and from the website. More websites are moving towards enabling HTTPS by default (including the US government), but there is still a long way to go.
But does HTTPS mean that a website is secure and safe to browse? Not necessarily. The use of HTTPS does not mean the website has been verified or authenticated, or that it’s free from error or hijacking. In fact, criminals are now leveraging the trust that users’ have in HTTPS to engage in phishing and other cyber-crimes. Cisco has noticed an uptick in the use of HTTPS for malicious purposes, and estimate that about 10-12% of encrypted traffic is generated for malicious reasons.
Typically, to enable HTTPS on a website, the website owner would need to purchase an SSL certificate from a certificate authority. Modern browsers are configured to automatically check certificates against databases of known certificate authorities to verify that the connection is secure. But certificate authorities typically have limited means to fully verify that a website owner does not have malicious or criminal intentions. Another weakness of certificate authorities is that browsers are set to trust certificates, but there is no easy way to determine if the certificate authority itself has been tampered with. Companies like Google have moved towards issuing and signing their own certificates, but then there is no external verification (however limited) that Google’s certificate is to be trusted.
In a noble move to increase adoption of HTTPS by websites, the Let’s Encrypt organization created a platform for website owners to get a certificate for free. Unfortunately, this has been used by criminals to encrypt phishing and other malicious websites. In a blog post about the issue, Let’s Encrypt has countered that the benefits of encryption on the web far outweigh the potential risks that criminals might use the same technology. Even with the potential risks of abuse by criminals, HTTPS is a key ingredient to a secure and private internet.