On a basic level when you browse to a website a request for information is sent from your browser / computer to a web server somewhere on the internet. The web server receives your request for information, determines what you are looking for and hopefully replies with the appropriate webpage. In computer terminology this process uses what is called hyper text transfer protocol or Http.
The use of Http works pretty well. There are billions of Http requests each day that are sent and received on the Internet. As a side note the creator of Http later said the two forward slashes involved in a website adress (http://) weren’t necessary and could have been left out!
Another aspect that was over looked when the original Http process was being created was how popular it would become. Today banks send financial information through their websites, doctors look up hospital records and more and more sensitive information is sent back and forth. The Http specification was never created for such sensitive information and thus never had any built in privacy or protection.
When you type in the webpage address for your bank you don’t get a direct connection between your browser and the bank. Instead your request is sent from server to server until it gets closer and finally “finds” the bank web server. The response from the bank server is similar and most likely doesn’t even use the same servers to find you that were originally used by you to find it.
In a perfect world your request and the banks response would go from server to server without anyone snooping along the way. Unfortunately we don’t live in that perfect world and bad guys like to “watch” or monitor the data that flows through their servers. As the Http process doesn’t have any privacy or security involved this means anyone watching one of these servers in-between you and your bank could intercept, copy and even change(!) the information being sent back and forth. This information not only includes your bank records but most likely your username and password that was initially entered by you to login to the bank’s website.
This is where Https comes in. Https combines the Http with security. There is more behind the scenes (SSL, TLS, certificate authorities, etc.) with Https but on a basic level your request for information to the bank’s website is preceded by a message saying “Hey I’m about to send you something that I would like secure. Is there a password I can add to it before I send it?” The bank responds with a password (key) that is used to encrypt your request. The request is then encrypted using the password the bank sent you. Even if one of the servers between you and the bank is being monitored all they see is encrypted data flowing back and forth.
The same process repeats before the bank sends back the webpage you are looking for. Their servers contact your browser, obtain a unique password / key that only your browser knows, use that key to encrypt the webpage, and finally send the information to you. Every single request for data (everytime you click the mouse and send data) a new set of passwords / keys is used to encrypt the data. This prevents the “man in the middle” from trying to crack the encryption. By the time they could crack the encryption it doesn’t matter because that password / key is no longer being used.
The downside to using Https is a slight delay in speed. The website has to encrypt the data and your browser has to decrypt the data before you see it. Today’s computers however are so powerful this delay is often not even noticeable. The upside to using Https is knowing the information you are viewing is visible only to you. We encourage the use of Https whenever possible and have written a few articles about it before. Final piece of advice – do not visit webpages that require a username, password or any type of personal information on a public network without using Https.