"We see it everywhere, a green (or yellow) padlock next to the URL of a website you are visiting. Since Google considers HTTPS in the ranking of Google search results, everyone has become obsessed with HTTPS. Nice and good, such a protocol, but what does it actually stand for and how secure is it? HTTPS stands for 'Hyper Text Transport Protocol Secure' and is thus the 'secure' version of HTTP, the connection protocol used by almost everyone to navigate the World Wide Web (www). The difference lies mainly in whether or not the data sent is secured. Especially banks and online shops use HTTPS to protect customer account and payment information.
How does it work?
If a website uses HTTPS, it uses 'Transport Layer Security‘ (TLS) to encrypt the transmission of the information entered or sent. TLS is used in a wide range of applications. Well-known examples include web traffic (HTTPS), email traffic (IMAP and SMTP for STARTTLS), and certain types of virtual private networks (VPN). Such encryption is meant to ensure that the information is secure and cannot fall into the hands of a hacker.
HTTP(S) and TLS?
For clarification, HTTPS is an HTTP connection in a secure TLS (the previous version was called SSL) tunnel where data can be safely sent back and forth between, for example, a website and a server. No TLS tunnel means no encryption and therefore no security. To use TLS, you need to apply for a certificate from a 'certificate authority' (CA). Such a certificate primarily serves as a (digital) identification tool and is provided with two corresponding keys: a 'Private Key' and a 'Public Key'. The reason they are called keys is that they actually function like that. The 'Public Key' is used to encrypt the data, and the 'Private Key' makes the data accessible again after receipt. Three important aspects: identification, encryption, and decryption.
Why do I need it?
If you own a website where users can provide information or create accounts, you may be required (by the data protection law, hereinafter 'Wbp') to implement certain technical and organizational security measures. What measures need to be taken depends on the sensitivity of the data being transmitted. “Art. 13 Wbp – the responsible party implements appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures guarantee, taking into account the state of the art and the costs of implementation, an appropriate level of security in light of the risks associated with the processing and the nature of the data that needs to be protected…” Is there an obligation to use TLS? Not as such; it is more of a general call to implement technical measures. The organization must first determine based on a risk analysis and classification scheme whether this is desirable. Given the accessibility and the widespread availability of TLS, however, there are few (good) arguments not to implement it.
Does HTTPS protect your privacy?
Yes, it protects your privacy through encryption during data transfer. This somewhat shields you from government eavesdropping and 'Man in The Middle' (MiTM) attacks. The problem, however, is that encrypting the data is only half the story. The other half consists of actually landing on the page you want to visit. Normally, an HTTPS connection verifies the identity of the server using a certificate, but this system is not foolproof. If desired, malicious hackers can obtain such a certificate (DigiNotar) or create one themselves. HTTPS also has another issue. If the visitor doesn't manually type HTTPS:// on their first visit, they are in most cases (95%) simply sent to the HTTP site by default. If you really want to make it difficult for the hacker, you will need to add a HTTP Strict Transport Security feature. This means simply that the default of your servers is set to HTTPS instead of the unsecure HTTP. In this way, your site and its visitors are better protected against 'connection hijacking' attacks, such as a 'Man in The Middle' attack.
What should we do?
For every new security measure, ten ways to bypass it quickly arise. It is therefore essential to keep your security measures always up-to-date and to regularly perform a risk analysis. A good example is the Panama Papers. The servers of the law firm Mossack Fonseca ran on a new TLS version, but they also supported the outdated SSL v2, which proved vulnerable to a DROWN attack. Source: Emerce"
