{"video_id":"25mXesOV9-8","title":"Does HTTPS REALLY Keep You Safe?","channel":"Techquickie","show":"Techquickie","published_at":"2024-05-04T14:58:16Z","duration_s":338,"segments":[{"start_s":0.0,"end_s":7.36,"text":"Most web addresses these days start with HTTPS, which implies that your","speaker":null,"is_sponsor":0},{"start_s":4.92,"end_s":10.88,"text":"connection to the website is secure in some way. You know, the S, that's what","speaker":null,"is_sponsor":0},{"start_s":8.8,"end_s":16.88,"text":"the S stands for. But, what exactly is HTTPS, and how safe is it really keeping","speaker":null,"is_sponsor":0},{"start_s":14.16,"end_s":20.2,"text":"you? HTTPS is a protocol that encrypts information sent over the internet.","speaker":null,"is_sponsor":0},{"start_s":18.68,"end_s":24.24,"text":"Specifically, the content that's traveling between your PC or phone and","speaker":null,"is_sponsor":0},{"start_s":22.8,"end_s":28.4,"text":"the server for the website you're viewing. Without HTTPS, any of that","speaker":null,"is_sponsor":0},{"start_s":26.56,"end_s":32.08,"text":"content, such as private messages, payment info, or the videos you're","speaker":null,"is_sponsor":0},{"start_s":29.88,"end_s":36.28,"text":"watching, could be intercepted by an attacker or snoop, such as someone with","speaker":null,"is_sponsor":0},{"start_s":34.52,"end_s":40.52,"text":"a packet sniffing program connected to the same Wi-Fi network, or by an IT","speaker":null,"is_sponsor":0},{"start_s":38.4,"end_s":44.88,"text":"administrator monitoring traffic at your office. And yes, there are ways that","speaker":null,"is_sponsor":0},{"start_s":43.24,"end_s":49.04,"text":"your employer could still look at your web traffic, such as through a proxy,","speaker":null,"is_sponsor":0},{"start_s":46.92,"end_s":52.84,"text":"but I'm sure all of you are on your best behavior on the job.","speaker":null,"is_sponsor":0},{"start_s":50.92,"end_s":57.6,"text":"Although most websites these days use HTTPS, this wasn't always the case. But,","speaker":null,"is_sponsor":0},{"start_s":55.88,"end_s":62.2,"text":"why? Well, it had to do with how security certificates worked. That's the","speaker":null,"is_sponsor":0},{"start_s":59.92,"end_s":66.48,"text":"electronic document used to generate the HTTPS encryption. Not only does it","speaker":null,"is_sponsor":0},{"start_s":64.519,"end_s":70.92,"text":"contain a public key, but it also enables another important function of","speaker":null,"is_sponsor":0},{"start_s":68.16,"end_s":75.44,"text":"HTTPS. It lets a user know the site that they're accessing is indeed what the URL","speaker":null,"is_sponsor":0},{"start_s":73.4,"end_s":79.68,"text":"says it is. Although anyone can make a certificate, it needs to be signed by an","speaker":null,"is_sponsor":0},{"start_s":77.52,"end_s":83.92,"text":"organization called a certificate authority in order for your browser to","speaker":null,"is_sponsor":0},{"start_s":81.84,"end_s":87.72,"text":"recognize it as valid and give you that nice little padlock icon up in the","speaker":null,"is_sponsor":0},{"start_s":85.76,"end_s":91.68,"text":"corner. It makes me feel so nice. For a certificate authority to sign a","speaker":null,"is_sponsor":0},{"start_s":89.32,"end_s":96.0,"text":"certificate, the website owner needs to show that they actually control the","speaker":null,"is_sponsor":0},{"start_s":93.48,"end_s":99.8,"text":"domain name on the certificate. Without a certificate authority signature, the","speaker":null,"is_sponsor":0},{"start_s":97.68,"end_s":105.2,"text":"encryption will still technically work if the certificate owner self-signs it,","speaker":null,"is_sponsor":0},{"start_s":102.76,"end_s":109.56,"text":"but the issue is that you, the user at home, won't know who's on the other end","speaker":null,"is_sponsor":0},{"start_s":107.68,"end_s":113.6,"text":"of the connection. It could very well be an attacker ready to steal your data.","speaker":null,"is_sponsor":0},{"start_s":111.92,"end_s":117.88,"text":"The problem for a long time was that certificate authorities charged money","speaker":null,"is_sponsor":0},{"start_s":115.76,"end_s":121.64,"text":"for this service, up to several hundred dollars a year, which many site owners","speaker":null,"is_sponsor":0},{"start_s":120.08,"end_s":127.0,"text":"just didn't want to bother with, especially if they were running smaller websites. But nowadays, it's easy to get","speaker":null,"is_sponsor":0},{"start_s":125.0,"end_s":132.12,"text":"certificates signed for free, in large part due to a nonprofit authority called","speaker":null,"is_sponsor":0},{"start_s":129.6,"end_s":135.92,"text":"Let's Encrypt, backed by the Electronic Frontier Foundation, as well as several","speaker":null,"is_sponsor":0},{"start_s":134.04,"end_s":139.24,"text":"large tech companies. And there's the fact that Chrome started displaying","speaker":null,"is_sponsor":0},{"start_s":137.48,"end_s":142.68,"text":"aggressive-looking warnings whenever you visited a site without a certificate","speaker":null,"is_sponsor":0},{"start_s":140.72,"end_s":147.72,"text":"signed by a recognized authority. That got HTTPS adopted rolling a bit quicker,","speaker":null,"is_sponsor":0},{"start_s":145.48,"end_s":152.08,"text":"but do keep in mind you won't see this warning if a site doesn't use HTTPS at","speaker":null,"is_sponsor":0},{"start_s":150.28,"end_s":157.04,"text":"all, so be sure to glance up at the address bar to see if the site is just","speaker":null,"is_sponsor":0},{"start_s":153.88,"end_s":159.32,"text":"using plain HTTP. So, HTTPS is now","speaker":null,"is_sponsor":0},{"start_s":157.04,"end_s":163.0,"text":"widespread and clearly plays a vital role, but there are also lots of","speaker":null,"is_sponsor":0},{"start_s":161.2,"end_s":166.72,"text":"misconceptions about it that have led some folks to believe more of their","speaker":null,"is_sponsor":0},{"start_s":164.84,"end_s":171.96,"text":"browsing activity is private than it actually is. We'll tell you what HTTPS","speaker":null,"is_sponsor":0},{"start_s":169.48,"end_s":175.48,"text":"doesn't do right after we thank Soylent for sponsoring this video. Soylent is","speaker":null,"is_sponsor":1},{"start_s":174.0,"end_s":179.36,"text":"where science meets taste, affordability, and sustainability. Their","speaker":null,"is_sponsor":1},{"start_s":177.64,"end_s":182.72,"text":"nutrient-complete formula is a great alternative to skipping a meal because","speaker":null,"is_sponsor":1},{"start_s":181.44,"end_s":187.08,"text":"you just don't have the time. It's affordable at $2 to $4 per serving, and","speaker":null,"is_sponsor":1},{"start_s":184.92,"end_s":191.44,"text":"it comes in convenient no-prep formats with a ton of flavors available. Our","speaker":null,"is_sponsor":1},{"start_s":189.04,"end_s":195.0,"text":"favorite is chocolate. It has everything you would look for in","speaker":null,"is_sponsor":1},{"start_s":192.88,"end_s":198.44,"text":"a ready-to-drink meal. Even better, they stand by their mission of providing","speaker":null,"is_sponsor":1},{"start_s":196.48,"end_s":202.36,"text":"access to good food by giving back nearly 6 million donated meals. Check","speaker":null,"is_sponsor":1},{"start_s":200.88,"end_s":207.08,"text":"them out at the link below today, and the first 500 people to use this link","speaker":null,"is_sponsor":1},{"start_s":204.2,"end_s":211.64,"text":"and code TechQuickie30 will get 30% off their first order. One common","speaker":null,"is_sponsor":1},{"start_s":208.8,"end_s":215.24,"text":"misconception is that the HTTPS padlock means that you're connected to a site","speaker":null,"is_sponsor":0},{"start_s":213.36,"end_s":220.28,"text":"that you can trust with your personal information. This is definitely not the","speaker":null,"is_sponsor":0},{"start_s":217.96,"end_s":224.04,"text":"case. There are plenty of phishing sites whose appearance imitates the legitimate","speaker":null,"is_sponsor":0},{"start_s":222.28,"end_s":228.24,"text":"site, but you often can see up in the address bar that the URL doesn't match","speaker":null,"is_sponsor":0},{"start_s":226.44,"end_s":232.92,"text":"the site that you want, so their certificates get signed because the","speaker":null,"is_sponsor":0},{"start_s":229.92,"end_s":234.68,"text":"attackers do own that URL. They aren't","speaker":null,"is_sponsor":0},{"start_s":232.92,"end_s":238.76,"text":"trying to get a certificate for the real site, so look at the URL very closely if","speaker":null,"is_sponsor":0},{"start_s":237.44,"end_s":244.72,"text":"you suspect you're the target of a phishing attack. If you want to be really careful, check the certificate,","speaker":null,"is_sponsor":0},{"start_s":242.64,"end_s":248.64,"text":"too, as another kind of attack called DNS poisoning can even return a","speaker":null,"is_sponsor":0},{"start_s":247.08,"end_s":252.56,"text":"malicious website with a legitimate-looking URL. Another very","speaker":null,"is_sponsor":0},{"start_s":250.96,"end_s":258.44,"text":"important thing to remember is that HTTPS does not encrypt metadata, which","speaker":null,"is_sponsor":0},{"start_s":256.079,"end_s":262.92,"text":"includes URLs. This means that an attacker, network administrator, or ISP","speaker":null,"is_sponsor":0},{"start_s":261.12,"end_s":267.2,"text":"can still determine which sites you were visiting, and in certain circumstances,","speaker":null,"is_sponsor":0},{"start_s":265.04,"end_s":271.28,"text":"even which specific web pages, depending on how the server is configured. So, if","speaker":null,"is_sponsor":0},{"start_s":269.08,"end_s":275.44,"text":"you're visiting a site that's CD inappropriate during work hours, or","speaker":null,"is_sponsor":0},{"start_s":273.64,"end_s":281.0,"text":"whose URL could give away something personal, HTTPS alone won't cover you.","speaker":null,"is_sponsor":0},{"start_s":279.04,"end_s":285.56,"text":"But, there is some good news here. Encrypted DNS is gaining popularity,","speaker":null,"is_sponsor":0},{"start_s":283.6,"end_s":290.24,"text":"which, in layman's terms, means that the host names of the pages you're visiting","speaker":null,"is_sponsor":0},{"start_s":287.56,"end_s":294.04,"text":"would be encrypted, as DNS is the system that looks up the actual numerical IP","speaker":null,"is_sponsor":0},{"start_s":292.24,"end_s":297.68,"text":"addresses of the site addresses you punch in. This makes it significantly","speaker":null,"is_sponsor":0},{"start_s":296.08,"end_s":302.0,"text":"harder for an attacker to figure out what sites you were using. Encrypted DNS","speaker":null,"is_sponsor":0},{"start_s":299.8,"end_s":306.16,"text":"can be enabled in Windows, but not all DNS services support it, and it can be","speaker":null,"is_sponsor":0},{"start_s":304.44,"end_s":310.12,"text":"possible to deduce what sites you're visiting by looking at the IP addresses","speaker":null,"is_sponsor":0},{"start_s":308.4,"end_s":315.28,"text":"you're connecting to. But, just like HTTPS itself, it's meant to make life","speaker":null,"is_sponsor":0},{"start_s":312.48,"end_s":319.0,"text":"more difficult for snoops, not as a silver bullet to stop every kind of","speaker":null,"is_sponsor":0},{"start_s":316.92,"end_s":322.64,"text":"attack. If that existed, someone out there would probably have a fortune that","speaker":null,"is_sponsor":0},{"start_s":320.4,"end_s":326.88,"text":"would put even Daddy Bezos to shame. But, whatever the opposite of shame is,","speaker":null,"is_sponsor":0},{"start_s":324.56,"end_s":330.88,"text":"I'm giving to you right now for watching the whole video. Hey, thanks. Like it if","speaker":null,"is_sponsor":1},{"start_s":329.08,"end_s":334.68,"text":"you liked it. Dislike it if you disliked it. Check out our other videos. Comment","speaker":null,"is_sponsor":1},{"start_s":332.56,"end_s":338.64,"text":"below with video suggestions, and don't forget to subscribe and follow.","speaker":null,"is_sponsor":1}],"full_text":"Most web addresses these days start with HTTPS, which implies that your connection to the website is secure in some way. You know, the S, that's what the S stands for. But, what exactly is HTTPS, and how safe is it really keeping you? HTTPS is a protocol that encrypts information sent over the internet. Specifically, the content that's traveling between your PC or phone and the server for the website you're viewing. Without HTTPS, any of that content, such as private messages, payment info, or the videos you're watching, could be intercepted by an attacker or snoop, such as someone with a packet sniffing program connected to the same Wi-Fi network, or by an IT administrator monitoring traffic at your office. And yes, there are ways that your employer could still look at your web traffic, such as through a proxy, but I'm sure all of you are on your best behavior on the job. Although most websites these days use HTTPS, this wasn't always the case. But, why? Well, it had to do with how security certificates worked. That's the electronic document used to generate the HTTPS encryption. Not only does it contain a public key, but it also enables another important function of HTTPS. It lets a user know the site that they're accessing is indeed what the URL says it is. Although anyone can make a certificate, it needs to be signed by an organization called a certificate authority in order for your browser to recognize it as valid and give you that nice little padlock icon up in the corner. It makes me feel so nice. For a certificate authority to sign a certificate, the website owner needs to show that they actually control the domain name on the certificate. Without a certificate authority signature, the encryption will still technically work if the certificate owner self-signs it, but the issue is that you, the user at home, won't know who's on the other end of the connection. It could very well be an attacker ready to steal your data. The problem for a long time was that certificate authorities charged money for this service, up to several hundred dollars a year, which many site owners just didn't want to bother with, especially if they were running smaller websites. But nowadays, it's easy to get certificates signed for free, in large part due to a nonprofit authority called Let's Encrypt, backed by the Electronic Frontier Foundation, as well as several large tech companies. And there's the fact that Chrome started displaying aggressive-looking warnings whenever you visited a site without a certificate signed by a recognized authority. That got HTTPS adopted rolling a bit quicker, but do keep in mind you won't see this warning if a site doesn't use HTTPS at all, so be sure to glance up at the address bar to see if the site is just using plain HTTP. So, HTTPS is now widespread and clearly plays a vital role, but there are also lots of misconceptions about it that have led some folks to believe more of their browsing activity is private than it actually is. We'll tell you what HTTPS doesn't do right after we thank Soylent for sponsoring this video. Soylent is where science meets taste, affordability, and sustainability. Their nutrient-complete formula is a great alternative to skipping a meal because you just don't have the time. It's affordable at $2 to $4 per serving, and it comes in convenient no-prep formats with a ton of flavors available. Our favorite is chocolate. It has everything you would look for in a ready-to-drink meal. Even better, they stand by their mission of providing access to good food by giving back nearly 6 million donated meals. Check them out at the link below today, and the first 500 people to use this link and code TechQuickie30 will get 30% off their first order. One common misconception is that the HTTPS padlock means that you're connected to a site that you can trust with your personal information. This is definitely not the case. There are plenty of phishing sites whose appearance imitates the legitimate site, but you often can see up in the address bar that the URL doesn't match the site that you want, so their certificates get signed because the attackers do own that URL. They aren't trying to get a certificate for the real site, so look at the URL very closely if you suspect you're the target of a phishing attack. If you want to be really careful, check the certificate, too, as another kind of attack called DNS poisoning can even return a malicious website with a legitimate-looking URL. Another very important thing to remember is that HTTPS does not encrypt metadata, which includes URLs. This means that an attacker, network administrator, or ISP can still determine which sites you were visiting, and in certain circumstances, even which specific web pages, depending on how the server is configured. So, if you're visiting a site that's CD inappropriate during work hours, or whose URL could give away something personal, HTTPS alone won't cover you. But, there is some good news here. Encrypted DNS is gaining popularity, which, in layman's terms, means that the host names of the pages you're visiting would be encrypted, as DNS is the system that looks up the actual numerical IP addresses of the site addresses you punch in. This makes it significantly harder for an attacker to figure out what sites you were using. Encrypted DNS can be enabled in Windows, but not all DNS services support it, and it can be possible to deduce what sites you're visiting by looking at the IP addresses you're connecting to. But, just like HTTPS itself, it's meant to make life more difficult for snoops, not as a silver bullet to stop every kind of attack. If that existed, someone out there would probably have a fortune that would put even Daddy Bezos to shame. But, whatever the opposite of shame is, I'm giving to you right now for watching the whole video. Hey, thanks. Like it if you liked it. Dislike it if you disliked it. Check out our other videos. Comment below with video suggestions, and don't forget to subscribe and follow."}