For years, we have been told that HTTPS was reliable and secure. Here, for example, is what the New York Times wrote in 2007:
“If you see the little padlock in the corner of your Web-browser window (or if the Web address begins with “https://” instead of “http://”), you’re connected to a secure Web site. Your transmissions are encrypted in both directions, so you have little to fear from casual packet sniffers. Banking and brokerage sites, for example, are protected in this way.”
Unfortunately, HTTPS is no longer sufficient to protect your privacy in 2011.
There are three major issues with HTTPS:
- Its implementation is spotty. Each website must decide whether and where to use HTTPS. Some sites use it all the time, but some only during log-in and some not at all. Hence, the advice that you should look for the padlock or the “S” at the end of HTTPS. (You should also read the privacy statements and the Terms and Conditions before you click “I agree” – but no one does, of course.) Most frequently, websites will use HTTPS during log-in, to protect your user name and password. I submit that this creates a very false sense of security. Because, as we wrote last year, once you get past log-in, you can still be hacked. All the hacker needs is to be on the same wifi connection, in Starbucks or whatever, and a free, easy-to-use tool called Firesheep. Firesheep works by stealing your log-in credentials right out of the air, and allows the hacker to assume your identity on Facebook, Amazon, Twitter, Yahoo!, or many other sites. It was released last year, and has by now been downloaded over 2 million times.
- The underlying encryption methodology has been broken. It is not easy, and as of now you need to be a security expert to know how to do it. But you can bet that someone will release a tool allowing anyone to do it – and there goes any semblance of security with HTTPS.
- HTTPS relies on a system of easy-to-forge certificates. As I wrote last week, the certificates can be forged or stolen. Using a fake certificate, someone can set up a website that looks exactly like PayPal, for example, and could empty out your account.
So if we cannot rely on the website to provide security via HTTPS, what is the answer? I strongly believe that each person needs to take individual responsibility for the privacy and security of their own Internet communications. Consider this: you have a firewall and antivirus software on your computer, because you do not expect all sites to protect you against viruses.
Why would you think you could rely on those sites to protect your communication?
The only way to adequately protect your Internet communications is with a personal VPN, or virtual private network. You need to use a VPN whenever you are using a public wifi hotspot. And I happen to know where you can get a good one. Just click here and you can try it for free.