Most of you will be aware that whenever you visit a website or page where you need to input sensitive information, such as a banking site or the checkout on a shopping site, the address of the site/page should be prefixed with “https” rather than the insecure “http”. The added “s” on the end stands for “secure” and is your guarantee that the information you are providing is being encrypted, making it more difficult for a hacker to intercept your data.
The https security protocol is managed via a system of certification. In order to enable the use of encryption, the web site’s operator first needs to apply for an SSL Certificate, which is, in effect, a small text file installed on the server to verify their identity. These certificates are only granted once the web site operator has proved their identity to a trusted source (such as Symantec, Comodo, GeoTrust) and usually expire after a year or 2, requiring a fresh application.
Wikipedia briefly describes https thus:
HTTPS creates a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.
As you can see from the provisos included in the above quote, https security relies heavily on the correct server certification and strong encryption techniques. You may have read recently about SSL vulnerabilities because of sites with older, weaker encryption protocols, including names such as “Heartbleed” and “Freak”.
Here are links to two sites which will quickly check the security of any https sites you might be concerned about:
Symantec. SSL Toolbox
This online tool provided by security company Symantec will quickly verify that a site’s SSL certificate is current and valid, and will also provide additional information about any major vulnerabilities on the site.
Just copy and paste a https address into the associated dialogue box and then click the Check button:
- Here’s the link: Symantec. SSL Toolbox
Qualys SSL Labs – SSL Server Test
This very similar online tool from Qualys Labs takes a little longer to complete the scan but also provides more detailed information. However, the summary is what will be of primary interest to most users:
- Here’s the link: Qualys SSL Labs – SSL Server Test
Bottom Line
Https is, in general, a secure protocol. However, just because a site’s address is prefixed with https doesn’t necessarily mean you should trust it implicitly. If in any doubt, you can use one of the above online tools to make sure.