How does HTTPS / Browser Encryption work?
Often times when you connect to a website, you will notice that the URL just displays the website name. But as we move into a more digital world, it is highly recommended that sites use SSL Certificates and Transport Layer Security to encrypt your connection to them. This displays in your browser as https:// with the S being the important thing to look for. Now, browsers like Safari on your iPhone/iPad/iPod and Firefox on your desktop/laptop are making it easy for you determine which sites are secured and which are not by displaying a lock icon beside the website. See this linked example of PayPal’s website that shows not only the lock icon, but also identity verification known as an Extended-Validation Certificate (green words beside the lock) to supply a trust factor in making sure you are connecting to the real PayPal website.
In a nut shell, when you connect to a website with an SSL Certificate, it means that everything you do in association with that website is going to be encrypted from your browser, to the website’s server, and then back to your browser. This includes login information, passwords, financial information, and all other personal details. Even on my website cryptoseb.pw, I have an SSL Certificate that is using TLS to encrypt all the traffic. I don’t have a need for one at all, but it is good practice to always use one. Encryption is never a bad thing on the Internet. But be careful, certificate authorities (the big companies that hand out trusted SSL certificates for users) can and have gotten hacked/breached in the past, which would compromise the security of every certificate they have issued. HTTPS doesn’t just provide us with encryption for the data in transit either. It gives us a way to authenticate the data. With a website transmitting all the information over plaintext, you can’t be certain that even the website you are viewing is the real one. If your connection was victim of a man in the middle attack, the data could be compromised at any time. This is not an easy task when a website makes proper use of SSL/TLS.
However, encryption to and from a website isn’t always up to current standards and can be misconfigured, using weak algorithms/cipher suites, or have trust issues with the certificate. The best way to find out if the website you are connecting to has good stats on their certificate is to head over to https://www.ssllabs.com/ssltest/ and put the website URL into the scan box. I have configured cryptoseb.pw to get an A+ with complete 100s down the list. This is serious overkill and loses support from some older browsers, but it means the highest level of security. Here are some pointers on what to look for to acquire maximum encryption strength/trust:
- Certificate is TRUSTED
- Key is greater than 2048bits (RSA)
- TLS1.2 offered as a protocol but NOT SSL
- RC4/MD5 ciphers are NOT allowed server-side
- Secure Renegotiation enabled
- HSTS Strict Transport Security enabled
- Public Key Pinning (HPKP) enabled (not absolutely necessary though, just a bonus)
- OCSP Stapling enabled
- Forward Secrecy ciphers preferred server-side
Follow the steps below to turn on these native HTTPS-only features in Firefox, Chrome, Edge, and Safari and celebrate with us that HTTPS is truly everywhere for user: https://www.eff.org/deeplinks/2021/09/https-actually-everywhere