Does HTTPS Secure a Website? ...No!

We will look at what “Secure” HTTPS provides and what it does not provide. We will also look at an example of where 2.9 million Adobe users had stolen data despite “Secure” HTTPS. Finally, we will discuss what actions we can take to keep our data as secure as possible.
 

What is a “Secure” website?

According to Chrome, a secure website is ANY website that correctly uses the HTTPS protocol with a trusted and valid SSL certificate. The only exception to this is a website that has been blacklisted for malicious activity. However, a website will only be added to a blacklist when Google eventually detects the malware or after it has gained a reputation for harming its users. Therefore we need to be on guard that we are not one of the users that are harmed before the website gets blacklisted. 

With this in mind, we need to know what precisely is “Secure”?

When you see the “Secure” label in your browser, it means any information you send to the website such as passwords or credit card numbers are encrypted to prevent a potential hacker from intercepting your data transmission and reading it. The data transmission starts after you hit the submit button on a web form and ends when the website receives it – it is encrypted and made “Secure” thanks to HTTPS.

Does HTTPS “Secure” my passwords and credit card details?

No! Even though HTTPS will secure your passwords and credit card details while the data is in transit, it will not prevent this information from being stored in an unsecured database. For instance, the database could store your credit card details in plain readable text and the database port could be open with no IP restrictions but Chrome will still show the “Secure” label. This is misleading to non-technical users who will no doubt feel a false sense of security; although the “Secure” label is useful to show the website correctly uses HTTPS, it does not mean the website files and the website database are secure.

Nor will HTTPS protect you from fraud or data misuse. It is similar to using a trusted and secure postal service to send a sensitive letter – after the letter has left the care of the courier (HTTPS) anything can happen, depending on what the recipient does with it. HTTPS means you can trust the delivery of the information will be secure. However, can you also trust the recipient to store your information in a secure way?

It is always a good idea to read the “privacy policy” on a website before you send sensitive information as this might let you know what additional security is in place. If the “privacy policy” does not let you know what data security is in place, you need to decide if you are willing to trust the website with your personal data. Many large corporations have used HTTPS but have been the victim of data theft due to insufficient security. For example, 2.9 million Adobe users had their details stolen because Adobe had insufficient security:
https://helpx.adobe.com/uk/x-productkb/policy-pricing/customer-alert.html

Here is the original news article by The Guardian:
https://www.theguardian.com/technology/2013/oct/03/adobe-hacking-data-breach-cyber-attack

In a situation like this, the “Secure” label for correct use of HTTPS is certainly worthless. Were you one of the 2.9 million Adobe users whose personal information was stolen? Find out by entering your email address here:
https://haveibeenpwned.com/ 

Can a hacker buy an SSL Certificate?

Yes! Anyone can purchase an SSL certificate without providing proof of identity. They only need to provide proof that they control the domain for which the certificate is being purchased. A hacker could buy an SSL certificate to make his scam website appear “Secure” for visitors.

Does HTTPS “Secure” my computer against malware?

No! If a virus or malware is present on a website, Chrome will still show “Secure” if the website correctly uses the HTTPS protocol with a trusted and valid SSL certificate. Therefore you are not secure against malware despite the comforting and dangerously misleading “Secure” label in your address bar. 

After the website gets a reputation for distributing malware or if Google detects the malware, the website will be added to a blacklist and will lose the “Secure” label. Until that happens, it is labeled “Secure” even though it is potentially harmful to your computer.

Does HTTPS “Secure” my identity?

No! The encryption is ONLY to protect the data sent to and from the page. It does NOT provide anonymity to the visitor – your IP address and the websites you visited can be seen by anyone with access to the router (the admin or a hacker); the router could be your home router or a public Wi-Fi router.

If someone gained access to the router, they could easily see the IP Address of the computers using the Internet Connection and the URL of the pages they visit. If the pages visited are password protected and encrypted then the admin/hacker would know the URL of the visited page but not know the content of the visited page. Of course, if the visited page was publicly available, then the admin/hacker would be able to visit the URL and see what the person was viewing. If the page contains a form, the admin/hacker would only see an empty form and would not know what the person entered. To discover this information, a hacker would need to intercept the data as previously mentioned - this would be visible if not encrypted or unreadable if encrypted with “Secure” HTTPS.

In summary, anyone with access to your router can always see the IP Address of computers connected to the router and the URLs they visit, by looking at the router log files. However, they will be unable to see any data entered into a web form if the connection to the website is encrypted with HTTPS.

This link shows the level of protection given by SSL:
https://www.globalsign.com/en/ssl-information-center/what-is-ssl/

Does “Secure” HTTPS prevent an ISP (Internet Service Provider) from monitoring my Internet activity?

No! The ISP is responsible for all the data you send and receive and this enables them to see what websites you are visiting and how you are interacting with these websites.

Just like a postman has access to all the letters you send and receive, the ISP has access to all the data you send and receive. However, an ISP does not view or store this data just like a postman does not open your letters, therefore, your privacy is maintained. If the web page you are viewing is not encrypted then someone at your ISP could potentially view the data you send (such as credit card information) while that data is in transit just like a rogue postman could potentially open your letters before he delivers it through your letterbox. Of course, an ISP will never view your data as it will be contrary to their privacy policy but it is certainly possible. This only applies to data while it is being sent to the website (in transit). After the data has finished sending (usually less than 1 second), the only copy of this data will be with the recipient (i.e. the website database on which you submitted the web form).

Regarding your personal identity (i.e. not just your IP address but also your full name and postal address) - You home broadband provider will have a record of the account holder’s full name and address. Therefore if you are using your home internet connection, they will know what websites and web pages you have visited in addition to your full contact details (not just your IP address). If you switch to a cellular connection such as 4G or 3G the same applies because your mobile phone provider will know your full name, address and websites/web pages that you visit.

How can I protect my identity?

1) Data Privacy - If you are sending sensitive information such as passwords or credit card details over the Internet then make sure the website is using a valid implementation of HTTPS - this is essential. Google Chrome is excellent for helping us see this at a glance, with their “Secure” label. However, the data you are securely sending may be stored in an unsecured database and therefore vulnerable to theft. Even if the database is secure, you also need to read the website privacy policy to ensure your data is not misused.

2) Connection Privacy - Anyone with access to your home or office Router, including your Internet Service Provider, can see what pages you visited. You can work around this by using a PROXY SERVER such as Hidester:
https://hidester.com/proxy/ 

Here is an article that explains how a proxy server can mask your identity:
https://www.lifewire.com/free-anonymous-web-proxy-servers-818058

Another way of masking your identity is to use a public Wi-Fi. For example, if you go to a coffee shop and use their Wi-Fi then anyone looking at your Internet Activity would only be able to track you back to the coffee shop where you visited.

Finally, make sure you have "COOKIES: DISABLED" on your device otherwise when you think you are browsing anonymously, there may be cookies which identify you. It is easy to disable them if you search on Google for "how to disable cookies in Chrome" or "how to disable cookies in Internet Explorer" etc. You can read about "Tracking Cookies" here:
https://www.theguardian.com/technology/2012/apr/23/cookies-and-web-tracking-intro


What should I remember?

The “Secure” label only means the data you are sending is secure. Your identity may not be private, the website files may contain malware and the website database might not keep your data safe – as testified by 2.9 million Adobe users who were victims of data theft!