HTTPS, where to find it and how to use it

An insight into secure web browsing. Part 2.

Decorative Image, padlock and moneyIn a previous post I gave a quick overview of SSL and HTTPS, what it is, what it means and what it looks like. This time round I’ll give a run through of where you should expect to find HTTPS, when you should aim to use it and when there’s no need to worry.

First of all the easy bit that covers most of the web…

If you’re only reading information from a website then there is no need to worry about security.  If for example you’re reading a news and entertainment website like the BBC then you’re not handing over any information so there’s no risk.  This also applies if your submitting only very basic or anonymous information; posting a comment response to an article for example is unlikely to be much of a threat.

At the other end of the web with the most security focused websites…

Websites such as banks or any where that the information your providing is very sensitive such that if it fell into the wrong hands you would be likely to suffer severe detriment.  These types of websites should(!) always force your web browser to use a secure connection.  This happens automatically so you don’t have to do anything but you can still check the security indicators in the web browser address bar (as previously described).

Halifax website - unsecured and secured

Please note however that the brochure part of a banking website is likely to use a normal unsecured connection because there is no sensitive information being exchanged at this point.  It is only when you click a link to a login page that the security takes effect.  This can be seen in the Halifax website for example…

Some financial institutes choose to force all connections to be secured (try browsing to www.mint.com) whereas others will force the home page to be secured, often because the login option is listed on that homepage (try browsing to www.americanexpress.com)

(Some technical background fluff) When you type a website address into the address bar of your web browser, the browser assumes that you are looking for a website and so it appends the standard http:// prefix to the address.
You can manually add the https:// prefix to any website but not all websites will support secured connections. Most will just bounce you back to normal unsecured http:// but a few might give you an error message.

The in between bits where a secured connection is available if you want it…

In response to public demand, some websites that allow you to share personal information have started offering the option to always use a secured connection.  Twitter and Facebook in particular now provide an option in the account settings to always use a secured HTTPS connection.  Unfortunately, considering this is an account based setting, you have to be logged in to the website before it takes effect so you will probably still have logged in over an unsecured connection.

I’ve already outlined how you can enable this setting for Twitter in a previous post here.

Facebook Account Settings menuAs for Facebook, select the Account Settings from the Account menu at the top right corner…

Change Facebook account security…from here select ‘Change’ for Account Security…

Facebook enable secure browsing…and then in the section that drops down, tick the box for “Secure Browsing (https)”

There are a few other security options available from here which I’ll cover in another article.  With Facebook in mind, they do seem to be trying to improve security; privacy however is another issue for another time 🙂
Hope this helped!

For Firefox users, there’s an addon that will try to connect to any website using secured  HTTPS first.  I’ve not tried this myself yet so please leave me a comment if you have… https://www.eff.org/https-everywhere

Image Attribution: Thanks to Pixomar @ FreeDigitalPhotos.net for the image

2 thoughts on “HTTPS, where to find it and how to use it

  1. Anonymous

    One of the more useful blogs I’ve read lately, thanks. Although probably not for the reasons it should be (sorry!)

    So, using https evades website blocks at work. You mentioned in the last post that https uses encrypted data. Does this extend as far as the url you’re entering, or are IT here lazy?

    Secondly, when your browser questions a security certificate thing (and I blindly accept it) why is that?

  2. thegaryhawkins

    Unfortunately HTTPS will not disguise the website that you’re visiting. For that you’d need to use an anonymising proxy such as TOR but then it will be recorded that you’re using an anonymisying service, which in itself would be questionable behaviour.

    As for certificate warnings, that would be one of three things; the certificate was not issued by a trusted source (it might have been faked), the certificate name does not match the website (the website might have been faked), or the certificate has expired (likely just slack administrators). if you get a warning then double-checking the web address should be enough to be sure.

    Let me know if you need any more info and I’ll be happy to do what I can :o)

Comments are closed.