Are you exposing more than you think on the internet?

 If you’re a business owner with a website you need to have: HTTPS enabled & an HTTPS redirect.

Why? Without these both your data, as well as your website visitors is exposed and could fall into the wrong hands. Learn how to check if you have these below or get in contact with GTB and we’ll check for free.

This may come as a shock to some of you, but sensitive data from your computer could be exposed on the internet!

The good news is that the solution for this has been around since the 1990s in the form of SSL (Secure Sockets Layer).

What is SSL you may well ask?

SSL is a protocol originally created by Dr. Taher Elgamal for encrypting traffic over the internet in a way where only the web server could unencrypt it. 

Since the 90s the protocol has gone through many upgrades and in 1999 was replaced by what we use today, TLS (Transport Layer Security.)

HTTPS (Hypertext Transfer Protocol Secure), which uses TLS, works by having a private key and a public key.

What this means is that when you browse any website with HTTPS, your web browser is given the public key. With this, any communication between the website and your computer is encrypted with a private key. After being encrypted the data becomes gibberish and can only be turned back into the original data with the private key.

Confused?

Basically HTTPS means that the website is authenticated, and there is protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks, and protects the communications against eavesdropping.

Apart from keeping the connection secure, HTTPS has other benefits as new features are made available for just HTTPS websites. The major bonus of using HTTPS is HTTP/2, a huge performance upgrade to your website. With HTTP/2 your website will load much faster as it allows multi thread connections. You can be downloading more than one file at a time from the server. This will make the load time of your website significantly faster.

If this issue was fixed in the 90s, how can your data still be exposed?

When you are browsing the internet many sites you visit have a little padlock on the address bar, this means your connection is secure and is using HTTPS. However sometimes you won’t see this padlock, instead, it will show ‘unsecure’, which means that the connection is over the HTTP protocol (note, the lack of the ‘S’.) The unencrypted protocol hasn’t been disabled yet due to supporting older websites. However, the phasing out has started with new web features only available on HTTPS and Chrome (and other browsers) have started to block unsecured content.

Here is an example of a secure website:

When the connection is not secure, any data between you and the website is unencrypted. What this means is that anyone on the same WIFI network or who is listening along the ‘internet lines’ can see passwords, emails, credit cards, and other sensitive information.

Yikes! 

So how can you protect yourself? 

#1. Check for the padlock

Firstly, whenever you are about to enter a password or other sensitive data check for the padlock. No padlock? Don’t enter any sensitive data. To get the padlock you can try changing the address to have ‘HTTPS’ at the start. This won’t anyways work if the website isn’t set up for secure connections.

#2. Install a Browser Extension

Installing a browser extension that automates this process for you can make sure you are always secure. HTTPS Everywhere is available for Chrome, Firefox, Edge & Opera. You can find links to install it on your browser here.

#3. Beware on public WIFI

When on public WIFI, don’t use online banking, unless absolutely necessary. Hackers use other tricks  to make you think you are logging into the banks' website, when,  in reality, you are using a fake website. These websites are often incredibly difficult to tell apart from the real thing, so it's in your best interest to be extra careful when on public WIFI and switch to mobile data if possible before using financial websites.

How do I make sure my website is secure and uses HTTPS?

It’s a website owners’ responsibility to make sure any data users’ input is kept between the website and the user. To check if your website is secure check the following:

#1. Make sure HTTPS is enabled.

Enabling HTTPS is done on the webserver and costs nothing with most hosting providers. On the hosting control panel look for ‘HTTPS’, ‘SSL & TLS’ or ‘Lets Encrypt’, from here you should be able to ‘issue a certificate’. This creates a private & public key and enables incoming traffic over the HTTPS protocol. Your hosting provider will have more detailed instructions online, Google “[Name of host] enable HTTPS” to find more details, or send them an email.

Once you have enabled HTTPS on the host you should test it by going to your website with a ‘https://’ at the start of the address. E.g. https://gtb.co.nz/. If you see the padlock you have successfully enabled HTTPS.

#2. Use the HTTPS redirect

An HTTPS redirect is when you disable the website on HTTP (unencrypted) and send the users automatically to the HTTPS version. Doing this forces all users to encrypt data. To check if your website had a redirect open an incognito tab and enter your website address with ‘HTTP://’ at the start, e.g. http://gtb.co.nz/ - if when the website loads it changes to ‘https’ and a padlock appears you already have a redirect setup.

If you don’t have a redirect setup you can get one by:

• Installing a plugin (if you have a WordPress website.)

• Amending the ‘.htaccess’ file – warning this is advanced.

• Enabling it in your hosting panel – if it’s an option.

To Summarise:

The internet is still a dangerous place. However, the good news is that by all doing our part we can work to build a safer internet for everyone.

If you have older people in your life, inform them to look for the padlock before entering their password or credit card.

Know someone with a website, send them this article to help them keep data secure.

If you have a website and want some help checking or implementing better security, you can contact us here, and we can check your website for free plus provide you with a simple report of what needs to be improved.

References:

• https://web.archive.org/web/20140531105537/http://www.networkworld.com/news/2012/120412-elgamal-264739.html

• https://books.google.co.nz/books?id=jm6uDgAAQBAJ

• https://hpbn.co/http2/

• https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

• https://nakedsecurity.sophos.com/2020/02/10/google-chrome-to-start-blocking-downloads-served-via-http/