Posts Tagged ‘http versus https’

Add Your Own Security – say yes to the “s”

Monday, August 13th, 2012

Here’s a tip I haven’t heard from anyone except my CISSP study-buddy, Amir .  He manages global IT for a big company, so he’s smart about these things.  I tell everyone about it now because it’s very easy, makes you safer, and it’s not obvious.  I hope it won’t be long before it’s not necessary, but right now it’s still a great idea for those of you who engage in on-line banking, or are toying with the idea of adding such an app to your cell phone.

First, you’ve all seen this part of a web page address, whether it’s in an ad or at the top of your browser:


for example,

and you may or may not have noticed that sometimes you get this one instead, and it looks just a little different:


for example,

What’s the difference between these two sequences, kids?  That’s right, the second one has an extra “s”!  And what does that stand for?

Some of you know it has something to do with security, which is good, because when I asked my writer friend Deb she asked, “maybe they ran out of “http” and need to add “https”?

This is not a bad guess.  But, it’s completely wrong.

What the little “s” is telling you is that the site you are accessing is more secure.  It is making sure you are who you say you are by conducting what we call a handshake between the computer you are using and the website.  Part of that includes encrypting the information which flows between the two of you so that no one else along the way can read it.

Doing this makes certain types of attacks much harder to carry out*.  So anytime you are providing data which is at all sensitive, make sure the site you are going to is “https” and not only “http”.

Sounds like a good idea, right?  But how is this done?

Believe it or not, all you have to do is go up to your browser and add in the “s” to the address, and refresh (hit “Enter”).  This will redirect you to the secure version of the site if that company has one.   Many companies maintain both an http and an https version.

Easy, right?  But if more security is better, then why have a non-secure website at all?  The simple answer is that https isn’t free, so if it’s not necessary most sites don’t implement it.  By example google has an http version for the unwashed masses (and the rest of us, when we’re goofing off and checking celebrity gossip) but they will automatically switch you to https when you go to check your gmail account.  Amazon will allow you into their http to browse, but of course when you make a purchase you end up on https.  This is how the majority of sites operate.  They try to protect you, so in most cases you’ll be alright.  But when it’s especially critical, keep an eye out for the s!



* it will protect you unless your system is already infected, so never conduct on-line banking from a public terminal!