Why do we need HTTPS?

We need HTTPS for 3 reasons.

Privacy, integrity, and identification.

Let's talk about privacy first.

I'll use my friends as an example.
I am sending a message to Browserbird.
Oh no! The message is not encrypted!
Crab is listening on the communication capturing the message.
Potentially using it for evil.
Privacy means that no one can eavesdrop on your messages.

Bad crab. Bad.

When you browse to a website without HTTPS, I could be eavesdropping on your password.

The green padlock on the URL bar of your browser tells you that there are no crabs watching over your shoulder.

Reason number 2: integrity.

Example coming up!

I am sending another message to Browserbird unencrypted.

But before it reaches Browserbird, I intercept the message.

I update the message to say bad things about Browserbird and forward it to him.

Why would Compugter say such things about me?

This is often called a man-in-the-middle attack.

And crab-in-the-middle attacks are the worst.

Bad Crab. Bad.

Integrity means that the message is not manipulated on the way to its destination.

I make sure that your communication is not being tampered with.

Reason number 3: identification.

Example time!

Identification means that I can check that this message is coming from Compugter.

A digital signature attached to a message can identify the sender.
The digital signature is not the closing text on your emails. Anyone could copy that ;)
And when you are browsing the web, identification means that the site that you are visiting is indeed the one you think it is.

HTTPS, via SSL certificates, ensures you are connected exactly with the receiver you would expect.

This SSL certificate is valid and has been issued by a legitimate Certificate Authority. You are good to go.

We'll be talking more about SSL certificates and Certificate Authorities soon, so stay tuned.

In summary, privacy, integrity and identification are the main reasons why HTTPS is important.

Next on HowHTTPS.works...

Now that we know the why, the next step is to understand symmetric and asymmetric encryption. Big words, but easy concepts.

Continue reading