50

First of all I am a web developer and not a security expert. I have read lots of articles about the difference between HTTPS and HTTP, including this site.

The basic idea I got from them is, when using HTTPS all things are encrypted on the client side and then sent to the server. (Please correct me if I am wrong)

So even our network admin or other person in the network can't get anything.

When I use my laptop at home (trusted network), is there any advantage of using HTTPS over HTTP?

  • 43
    In this day and age you can't trust your ISP. Your ISP can see everything you send to a server because *you sent it to them* - kinda like how the post office could read your letters, if they wanted. – user253751 Aug 24 '17 at 07:37
  • 16
    Are you talking about using a website on the same computer as your browser, one on another computer on your network, or one on the internet at large? Most answers will be predicated on your choice of network. – jpaugh Aug 24 '17 at 08:13
  • 4
    BTW, if you're using equipment supplied by your employer, they can (and probably do) [monitor SSL traffic.](https://security.stackexchange.com/a/54180/88532) Essentially, they can spoof the certificates for every website, as long as they install their spoofed certs (or spoofing CA) to your OS's trusted certificate store. – jpaugh Aug 24 '17 at 08:21
  • 2
    You don't have a secure pipe to the server, not even from your home. In this day and age, everyone is trying to scoop into your requests, even your ISPs. And your connection can be hopping from places far less trustowrthy than your ISP, too. – ecc Aug 24 '17 at 09:39
  • 7
    @immibis More like "could read your postcards." To read the contents of unencrypted IP traffic you do not even have to pry open some envelope, it's just there in the clear, on their lines and routers. – Dubu Aug 24 '17 at 16:22
  • Relevant on [webmasters.se]: [Force Using SSL on Site now?](https://webmasters.stackexchange.com/q/59770/10915) and [What events caused mass migration to HTTPS?](https://webmasters.stackexchange.com/q/103166/10915) and [What is the benefit of forcing a site to load over SSL (HTTPS)?](https://webmasters.stackexchange.com/q/96238/10915) and probably [a decent chunk of their \[https\] tag](https://webmasters.stackexchange.com/questions/tagged/https). – user Aug 24 '17 at 18:05
  • https://www.eff.org/https-everywhere may help to maximize using Https when browsing – Steve B Aug 24 '17 at 20:06
  • 1
    @jpaugh 's question is highly relevant. If you're talking about using only HTTP to communicate with, say, your home media server's configuration page... well that's not likely going to be an issue unless you have an unsecured Wi-Fi access point or other untrusted points of entry on your home network (note, this could include your ISP-supplied router!). – Doktor J Aug 25 '17 at 13:29
  • *"When I'm using my laptop at home, is there any advantage of using HTTPS over HTTP?"* . Yes, the data being sent between you and the server is encrypted, so no one in the middle **whoever he is** can't see it without breaking the encryption. Plus you are sure that the data you received is from the server you want. – AccountantM Aug 25 '17 at 13:36
  • Related? https://security.stackexchange.com/questions/153797/should-web-applications-that-are-only-accessible-from-a-lan-be-held-to-the-same – Ismael Miguel Aug 27 '17 at 00:50
  • 1
    @immibis: I'd argue you're wrong, because you *can* trust your ISP not to tamper with traffic, and lack of tampering (*not* lack of snooping) is all you need to be able to ensure full security. The real trouble is the fact that there are more entities between you and the destination server besides the immediate ISPs. – user541686 Aug 27 '17 at 08:36
  • If I'm your network admin I'm pretty sure I can intercept everything. –  Aug 27 '17 at 17:00
  • @Mehrdad I mean, you **can** trust them (you are physically capable of doing so), but you'd be wrong to (they are not trustworthy). Some ISPs are known to inject extra ads for example. – user253751 Aug 27 '17 at 21:44
  • @immibis: Yeah I'm aware of ads (in [another comment](https://security.stackexchange.com/questions/168089/is-there-any-difference-between-http-and-https-when-using-my-home-own-internet?noredirect=1#comment321045_168205) I said "maliciously tampering" to account for this, as well as the fact that we're talking about *home* ISPs, not cell service providers) -- but that's irrelevant, since injecting ads in plain view is quite a far call from secretly forging credentials and silently masquerading as the other party. One is a visible nuisance, the other one is a serious felony. – user541686 Aug 27 '17 at 21:57
  • @Mehrdad It's home ISPs that do (did?) it. And sometimes the injected ads broke the webpages they were injected into. Even if you are not especially concerned about tampering, the fact they break things when they can is a good reason to use HTTPS. – user253751 Aug 27 '17 at 22:43
  • @immibis: Huh, I wasn't aware home ISPs did it, thanks for that. Yeah, I mean it's certainly better to use HTTPS, no doubt about that. – user541686 Aug 27 '17 at 22:50
  • @immibis and that is why certificate pinning needs to become more widespread – daniel f. Aug 28 '17 at 07:12
  • @danielf. Are they doing it to HTTPS sites now and requiring you to install their certificate? – user253751 Aug 28 '17 at 07:14
  • https://en.m.wikipedia.org/wiki/HTTP_Public_Key_Pinning you can tell browsers to pin public keys by using the proper http headers. It is invisible to the user, the browser does it for you – daniel f. Aug 28 '17 at 07:18

6 Answers6

124

TLS provides three things:

  • Confidentiality: that nobody can see the traffic between you and facebook.com (including the guy at the next table at Starbucks, your ISP, some sketchy network equipment in the datacentre COUGH NSA, nobody).
  • Integrity: that nobody is modifying the messages as they travel between you and facebook.com (this is separate from Confidentiality because some kinds of attacks allow you to modify the message in a malicious way even if you don't know what the messages are).
  • Authentication: that you are talking to the authentic facebook.com server, not a spoofed version of it.

The basic idea what I got from them is, when using https all things are encrypted in client side and then sent it to the server. (Please correct me if I am wrong)

That covers the confidentiality and integrity parts, but you're missing the authentication part:

To prove that you're not talking to a spoofed web server.

Say I set up a phishing version of Facebook and I somehow hack into your home router (easy) or ISP (harder) so that when you type facebook.com it resolves to my IP address instead of the real one. I've created an exact copy of the login screen you expect and you'll enter your username and password. Muahaha! Now I have your username and password.

How does HTTPS prevent this? Answer: with Certificates:

HTTPS green lock thingy

If we open up the certificate in my browser's Dev Tools > Security, we'll see this:

certificate

DigiCert is what's called a Publicly-trusted Certificate Authority (CA). In fact, DigiCert is one of the CAs that your browser inherently trusts because its "root certificate" is embedded into your browser's source code. You can see the full list of trusted root CAs by digging around in browser Settings and looking for "Certificates" or "Trusted Roots" or something.

So, your browser inherently trusts DigiCert, and, through this certificate, DigiCert has certified that the server you are talking to is the real facebook.com (because it has the private key that matches the certificate). You get the green padlock and you know that everything is good.


Just for fun, let's make a fake facebook.com. I added this line to my hosts file so that any time I type facebook.com it will redirect to google.com's IP address:

209.85.147.138  facebook.com

Google, what'cha doing trying to steal my facebook password?? Thank goodness HTTPS is here to protect me! My browser is super unhappy because the certificate it was presented (for google.com) doesn't match the URL it requested (facebook.com). Thanks HTTPS!

insecure connection when the cert does not match the URL

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/64515/discussion-on-answer-by-mike-ounsworth-is-there-any-difference-between-http-and). – Rory Alsop Aug 27 '17 at 22:23
  • Also, more realistically, the anti-spoofing approach provides an extra layer of protection against phishing. It's not 100% perfect, as people have gotten certificates that they shouldn't have before, but generally certificate authorities are supposed to be a layer of protection so you can be sure that a domain indeed does belong to the organization you expect. And while someone spoofing a site might be difficult and unlikely, everyone is very vulnerable to phishing. – Kat Aug 29 '17 at 18:08
  • @Kat Agreed. Though one thing I don't like about the CA system is that it puts the burden on the user to know the correct URL for the thing they're looking for. For example, a CA will happily issue a cert for `googe.com` or `bankofamerica.bank` even though they do not belong to the organization you expect. My grandmother would definitely fall for this. – Mike Ounsworth Aug 29 '17 at 18:15
6

Short answer:

HTTPS intends to establish a secure connection between a registered website and its user computer, so you can be sure, that the visited site is really what you wanted to visit, and the data is not acquired/altered in transit.

Long anser:

If I understood you correctly, your basic idea is, that only a network admin can monitor your activity, and there is no such thing at home. This is not the case.

Any individual, group, company(ISP) or state can see and alter the transit, and by that infect your computer. The internet nowadays is rather a cyberwarzone, where the mentioned entities often attack even their allies to steal information=money=power, gain control, threaten or physicall injure people through hacking. Even state tools are available for individuals on the black market. Persistent tools/malware survive changing the hard drive, so they can monitor/harm you in long term.

The problem with https is, that it can be also hacked many ways, thus it gives you a false sense of security, which might be more dangerous.

This is why it is important to use https, whenever you can, and care about system security too. You can download extensions for browsers to automatically direct you to HTTPS sites, when it is possible.

TriloByte
  • 241
  • 2
  • 8
  • A more specific treat vector: internet capable devices are abound in the home these days (stereos, TVs, fridges, phones, even toothbrushes) - for a lot of these, security is actually not brilliant - in theory, a packet sniffer could be installed on any of these devices to snoop your home network and log/relay that to an outside source. – HorusKol Aug 25 '17 at 00:43
  • 1
    Or do more than sniffing. Also by internet we mean any network connection : tv, phone, radio cable or by air. According to Fsecure, for example ikea actually puts effort into iot security compared to the rest of the manufacturers. Smartcars are a bit more serious problem. Many times even "assistance" or "lojack" softwares communicate with servers unencripted. 5% of companies and 20% of government computers run outdated os. Outdated os "economic" companies + unencrypted server phoning + "improving experience" + iot = you pay to be spied/hacked. – TriloByte Aug 25 '17 at 10:02
6

The other answers so far are good. I'll add one more angle: The Internet is a loosely connected mesh of routers; your home wifi router is only one of them. Any HTTP connection you make to a web server elsewhere on the net typically takes a path through a dozen or so routers to get there. That path changes frequently depending on network conditions; you can't predict whose routers you will be using. Each of these routers is owned and managed by a different person or company[1].

All of those people have the ability to watch your data as it goes past. They might do this on a routine basis, in non-malicious situations, during the course of everyday troubleshooting, because that mesh of routers needs constant monitoring and administration to keep it running at all; this effort encompasses several career fields alone. (The people who choose these career fields tend to be rather adamant about good security and tend to take their social responsibility seriously, but the only thing keeping them out of your data in a practical sense is their own conscience and reputation.)

So the equipment, software, and capability is already there; all a bad guy has to do is co-opt someone else's router or monitoring system.

HTTPS connections take the same path, but because they are encrypted, only the web server's administrator can see the cleartext content; the router administrators will only see what looks like random noise. (The web server itself might be compromised, but that's a different problem.)

[1] Playing with the traceroute or tracert command yourself will give you a glimpse of what these paths can look like.

stevegt
  • 189
  • 3
  • 3
    Right - it is not only the ISP that can look at your traffic! – Floris Aug 26 '17 at 17:50
  • This is actually the real answer to the question. The rest don't explain what the real-world risk is. I trust ISPs not to maliciously tamper with the traffic, but I wouldn't trust certain upstream orgs to avoid doing the same. – user541686 Aug 27 '17 at 08:33
2

With HTTP, information flows through this pipeline between your computer and the server:

enter image description here

From left to right: your computer, the airspace surrounding your computer and your wifi router, your router, the cable to your local ISP box, your local ISP box, a vast network of devices and wires that you know nothing about and have no control over, the server's local ISP box, the cable to the server, and the server itself.

Anywhere in the red area, the information can be snooped and tampered with. Anyone controlling one of the red boxes can snoop and tamper with the information. Anyone at all can break open one of the red pipes and gain access to the information flowing through it and snoop or tamper with it.

Your information is only safe within the green and blue boxes and pipes.

With HTTPS, information flows through this pipeline:

enter image description here

Your computer and the server establish a virtual pipe that can't be broken open, and run it through all the pipes and boxes between each other. Now your information is safe at every point in transit.

Jordan
  • 313
  • 1
  • 7
1

Yes, there's a tremendous advantage to utilizing HTTPS over HTTP.

  1. HTTP is not encrypted through PKI, and as such, all information is passed via plain text, readable by a packet sniffer and every piece of equipment those packets pass through once they exit the modem.
  2. With HTTP, there is no way for one to know whether the owner of the site is who they say they are, and as such, no way for one to know if they're being subjected to a MITM attack.
    • This is why it's recommended to always utilize HTTPS if a site offers it, since this is the only way a user can trust the content they're being served has not been tampered with.

With HTTPS, all information sent and received is encrypted via PKI, at minimum with a 1024bit/equivalent encryption key and SHA256 hash, however many sites have switched to 2048bit/equivalent, and any site processing logins is more likely than not using a 2048bit/equivalent encryption key.

  • For example, when utilizing HTTP, all equipment those packets pass through can read exactly what information is being sent and received (this includes passwords, account & CC numbers, etc.); however, if utilizing HTTPS, all that could be read would be the header info.

Your question also comes up a lot with router WebUIs on LANs, and even though that traffic never leaves the local network, it should still be accessed via HTTPS only, else all passwords, including root's, will be sent as plain text.

  • It doesn't matter if a person is the only one on/accessing their local network... if passwords/sensitive information must be sent/received, it should always be accessed by HTTPS only, especially when it only takes a few minutes to generate a self-signed CA or CA/ICA, and use the CA or ICA to sign a CSR for the server.
JW0914
  • 115
  • 5
0

Even if you don't care too much about the possibility of your ISP/government being evil, there are at least two attacks that are easy to perform against your home connection so that HTTPS will be the only thing protecting your data:

  • The evil twin attack where someone sets up a wifi router with the same name as yours but with a more powerful signal, so that you end up connecting to them instead of your own wifi router (typical home wifi setups only involve one-way authentication - the laptop proves its identity with the password, but the router does not have to prove itself).
  • Hijacking the router, which is often easy - router software tends to be insecure, and there is no security update process, so once a vulnerability for your specific router version is discovered, your router remains vulnerable forever. There are various ready-made tools and even automated malware out there which target routers. E.g. this attack happened a few months ago.
Tgr
  • 668
  • 3
  • 11