What is the big deal about the ”s” at the end of the “http?” Every time you look up a resource or database, perform a web search, fill out a form, log in to an account, or purchase something online, you transmit your information to a website.
HTTPS is a way to encrypt your information. This protects you from “man-in-the-middle” attacks, where someone else steals the information being sent to a website. Examples include credit card information, logins, your location, and IP address.
Several web browsers such as Chrome and Firefox, have become much stricter about displaying “non-https” enabled sites. You may have visited sites sites with “insecure content” warnings. Even one tiny “non-https” image on a website will make the web browser balk at you.
Not all sites have https enabled yet, so we’ve compiled a list of tools to help you keep your data transmission safe.
HTTPS Everywhere – Chrome and Firefox extension
https://www.eff.org/https-everywhere
HTTPS Everywhere – Firefox on Android mobile:
https://www.tomsguide.com/us/android-https-everywhere,news-18286.html
SSL Enforcer – Safari Extension
https://alternativeto.net/software/ssl-enforcer/
General online security tips from SUNY Geneseo CIT:
https://www.geneseo.edu/news/four-tips-secure-your-accounts
Here is a more detailed explanation of data encryption and web security, via the Library Information Technology Association (https://litablog.org/2015/01/why-we-need-to-encrypt-the-whole-web-library-websites-too/):
Authentication: When you visit a website, your computer asks the server on the other end for the information you want to access, and the server responds with the requested information. With TLS/SSL enabled, your computer also reviews a security certificate that guarantees the authenticity of that server. Without TLS/SSL, you have no way of knowing if the website you’re visiting is the real website you want, and that puts you at risk of something called a man-in-the-middle attack, which means data going to and from your computer can be intercepted by an entity masquerading as the site you intended to visit.
Data encryption: Encryption is the process of scrambling messages into a secret code so they can only be read by the intended recipient. When a website uses TLS/SSL, the traffic between you and the server hosting that website is encrypted, providing you with a measure of privacy and protection against eavesdropping by third parties.
Data integrity: Finally, TLS/SSL uses an algorithm that includes a value to check on the integrity of the data in transit, meaning the data sent between you and a TLS/SSL secured website cannot be tampered with or altered to add malicious code.
Authentication, encryption, and integrity work in concert to protect the data you send out over TLS/SSL enabled websites. In this age of widespread criminal computer hacking and overbroad surveillance from government entities like the NSA, encrypting the web against interception and tampering is a social necessity. Unfortunately, most of the web is still unencrypted, because enabling TLS/SSL can be confusing, and often some critical steps are left out. But the digital privacy rights advocates at the Electronic Frontier Foundation are aiming to change that with Let’s Encrypt, a free and automated way to deploy TLS/SSL on all websites, launching in Summer 2015. EFF has also built a plugin called HTTPS Everywhere which forces TLS/SSL encryption on websites where this protocol is supported, but not fully set up (a frequent occurrence).
Additional information:
What Every Librarian Needs to Know about HTTPS, via EFF.ORG
