This is part of our Why HTTPS series.
You may have noticed a strong uptick recently in the number of websites you visit that use HTTPS. Or you may have noticed that many companies, like Google and Safeco, have begun encouraging website owners to support HTTPS on their own websites. If you’re curious about the reasons behind this, and the reasons you should add HTTPS support to your website, you’re in the right place. This is the first of a series of blog posts I’ll be writing on the topic.
First, let’s define what we’re talking about so we’re all on the same page.
HTTP stands for Hypertext Transfer Protocol, and it’s what web browsers and web servers use to communicate.
HTTPS adds an S, which stands for Secure. HTTPS is just like HTTP, but it sits atop an encryption layer (SSL).
SSL stands for Secure Sockets Layer. It’s the predecessor to TLS (Transport Layer Security). Layer here is the encryption layer that HTTP uses to become HTTPS. Technically TLS is the correct term, but SSL is what most people use to talk about it. This is where our Whole-Site SSL product gets its name.
So what does HTTPS get us? Three main things: privacy, authentication, and integrity. All three of these are necessary for what we think of as private communication in any setting, not just online. All of these can be applied to electronic communications as well as between two parties in the Middle Ages.
This is what interests me most about online security: the concepts are not new even if the technology is. These concepts predate the internet by millenia, and the security technologies we have today are, even if innovative, simply projections of such principles.
As I explain these three concepts, I’ll give examples from different time periods to demonstrate they are broad in nature and not specific to technology.
Privacy
The first, privacy, means the communications are indecipherable by a third party. This could be because they can’t be overheard or intercepted or because they’re encrypted. Examples of a private communications include:
- two people in a room talking quietly so they can’t be overheard
- a king passing a message to a military leader via a secret tunnel under the city
- a person sending an encrypted email to a friend
In all of these cases, the messages either could not be intercepted or could not be deciphered, making them private. Because internet communications happen over a network, SSL achievs privacy through encryption, which is a way of scrambling a message in a way that it can be unscrambled later. Properly implemented, it can only be unscrambled by the intended recipient.
Authentication
The second, authentication, means a person can be confident she’s talking to exactly who she thinks she’s talking to. This isn’t much of a problem for in-person conversations (though it can be, such as if you think you’re talking to a co-worker, but in fact you’re talking to his twin brother, especially if you aren’t aware he has a twin).
This problem mostly applies to communications that don’t happen face-to-face, such as the king sending a message using a secret tunnel. How can the king be sure it was his military commander who received the message and responded, and not an enemy? There are many cases where this could go unnoticed: perhaps a horse carried the message and brought back a response, or a servant who had never met the intended recipient of the message and failed to identify the enemy as such.
The king needs to have a way to verify the response is authentic. Back then, they used things like unique wax seal stamps and secret passwords. If the commander had a unique stamp that the king could recognize, and the written response was stamped using it, then the king could be reasonbly certain the response was in fact from the commander.
Integrity
Finally, integrity means that a message has not been tampered with. Following with the example above, it would be vitally important for the king’s message to arrive unaltered, so that a message of “attack today” could not be changed to read “attack tomorrow” by an enemy. This could be achieved by a simple checksum.
For example, if each letter is given a numerical value (A=1, B=2, C=3, …), and the king had a special number—say, 5—then the letters’ values could be added up and multiplied by 5. Before sending the message, the king would write the output of that calculation at the end of the message (e.g., “attack today 605”). Then, the military commander would do the same calculation using what he privately knows to be the king’s secret number. If he gets the same answer as the king wrote on the message, he knows it has not been altered. (The numbers here are trivially small, but the principle applies.)
There’s more in this Why HTTPS series, including my next post which covers SSL Stripping Attacks.
If you’d prefer not to think about this sort of thing and want someone who understands it to handle it for you, then add Whole-Site SSL today. If you don’t already have your insurance agency website through Banyan Theory, sign up today and we’ll build you one. With SSL.