HTTP Secure (HTTPS)

When we browse the web, who can see what we're reading? Who can see the text we type into forms?

With standard HTTP, many people can: attackers intercepting packets, ISPs monitoring traffic, government agencies tapping into the fiber cables that make up the backbone of the Internet. Using well-known exploits, they can read the contents of every website and even inject their own contents.

That's why websites increasingly use HTTPS (Hypertext Transfer Protocol Secure) to protect the privacy of their users and prevent tampering. HTTPS is also known as HTTP over TLS, because it's implemented by encrypting HTTP requests and responses with the TLS protocol.

An HTTPS connection starts with the URL in the address bar. Standard HTTP connections have URLs that start with "http://". Secure HTTP connections have URLs that start with "https://".

⬆ Take a look at the address bar now. You should see a URL that starts with "https://www.khanacademy.org/". If it starts with "khanacademy.org/", try double clicking the address bar to see the full URL.

Of course, most users will just type the domain, like "khanacademy.org". Savvy users might even type a URL like "http://khanacademy.org". When a website supports HTTPS and wants to make sure that all of its users are served a secure connection, it should redirect all requests to the HTTPS version of their site.

🔍 Try typing in a few URLs of your favorite sites in a new tab and inspect the final URL in the address bar once the website loads. Did any of them redirect to HTTPS? Are any of them using HTTP that you really wish would use HTTPS?

When the browser loads a URL that starts with "https", it begins the process of setting up a secure connection over TLS. (Need a refresher on the process? Review our TLS article.)

Early in that process, the browser must verify the digital certificate of the domain. There are many ways a certificate can be invalid, and browsers will often display certificate errors.

Here's what it looks like when Chrome discovers a certificate was issued by a certificate authority that it doesn't trust:

If the certificate is valid and everything else goes smoothly in the TLS setup, most browsers will display a lock in the address bar. That lock indicates a secured connection over HTTPS.

Here's the lock icon for Firefox:

Clicking that lock icon yields even more information about the site's security:

An HTTPS connection ensures that only the browser and the secured domain see the data in HTTP requests and responses. Onlookers can still see that a particular IP address is communicating with another domain/IP and they can see how long that connection lasts. But those onlookers can't see the content of the communication, which includes the full URL path, the webpage HTML, and any text submitted in forms. Right now, an onlooker may know you're visiting khanacademy.org, but they don't know you're reading an article about HTTPS.

HTTPS also prevents tampering of website content. When a website is secured over a standard HTTP connection, the packets can be intercepted and their contents replaced. If an attacker or even a government agency intercepts visits to a news site, they can easily serve up fake news. TLS includes a mechanism to detect packet alterations, so HTTPS connections are resistant to tampering.

Many organizations believe that every website should serve all connections over HTTPS, due to the massive benefits. As of February 2019, around half of the top million websites use HTTPS by default. Will that ever reach 100%? You can help us get there by asking your favorite websites to use HTTPS or becoming a security-savvy web developer yourself.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!