{"video_id":"fp_2Uwpdc0SGw","title":"HTTPS Explained","channel":"Techquickie","show":"Techquickie","published_at":"2023-09-08T16:59:00.022Z","duration_s":296,"segments":[{"start_s":0.0,"end_s":3.84,"text":"Most web addresses these days start with HTTPS,","speaker":null,"is_sponsor":0},{"start_s":3.84,"end_s":9.88,"text":"which implies that your connection to the website is secure in some way, that's what the S stands for.","speaker":null,"is_sponsor":0},{"start_s":9.88,"end_s":14.6,"text":"But what exactly is HTTPS, and how safe is it really keeping you?","speaker":null,"is_sponsor":0},{"start_s":14.6,"end_s":20.04,"text":"HTTPS is a protocol that encrypts information sent over the internet, specifically the content","speaker":null,"is_sponsor":0},{"start_s":20.04,"end_s":24.68,"text":"that's traveling between your PC or phone and the server for the website you're viewing.","speaker":null,"is_sponsor":0},{"start_s":24.68,"end_s":29.16,"text":"Without HTTPS, any of that content, such as private messages, payment info,","speaker":null,"is_sponsor":0},{"start_s":29.16,"end_s":33.76,"text":"or the videos you're watching, could be intercepted by an attacker or snoop,","speaker":null,"is_sponsor":0},{"start_s":33.76,"end_s":37.6,"text":"such as someone with a packet sniffing program connected to the same Wi-Fi network","speaker":null,"is_sponsor":0},{"start_s":37.6,"end_s":41.24,"text":"or by an IT administrator monitoring traffic at your office.","speaker":null,"is_sponsor":0},{"start_s":41.24,"end_s":44.28,"text":"Although most websites these days use HTTPS,","speaker":null,"is_sponsor":0},{"start_s":44.28,"end_s":49.76,"text":"this wasn't always the case, but why? Well, it had to do with how security certificates worked.","speaker":null,"is_sponsor":0},{"start_s":49.76,"end_s":53.96,"text":"That's the electronic document used to generate the HTTPS encryption.","speaker":null,"is_sponsor":0},{"start_s":53.96,"end_s":59.56,"text":"Not only does it contain a public key, but it also enables another important function of HTTPS.","speaker":null,"is_sponsor":0},{"start_s":59.56,"end_s":64.64,"text":"It lets a user know the site that they're accessing is indeed what the URL says it is.","speaker":null,"is_sponsor":0},{"start_s":64.64,"end_s":68.68,"text":"Although anyone can make a certificate, it needs to be signed by an organization","speaker":null,"is_sponsor":0},{"start_s":68.68,"end_s":73.6,"text":"called a certificate authority in order for your browser to recognize it as valid","speaker":null,"is_sponsor":0},{"start_s":73.6,"end_s":77.88,"text":"and give you that nice little padlock icon up in the corner, it makes me feel so nice.","speaker":null,"is_sponsor":0},{"start_s":77.88,"end_s":83.72,"text":"For a certificate authority to sign a certificate, the website owner needs to show that they actually control","speaker":null,"is_sponsor":0},{"start_s":83.72,"end_s":87.92,"text":"the domain name on the certificate. Without a certificate authority signature,","speaker":null,"is_sponsor":0},{"start_s":87.92,"end_s":93.12,"text":"the encryption will still technically work if the certificate owner self signs it,","speaker":null,"is_sponsor":0},{"start_s":93.12,"end_s":96.32,"text":"but the issue is that you, the user at home,","speaker":null,"is_sponsor":0},{"start_s":96.32,"end_s":102.28,"text":"won't know who's on the other end of the connection. It could very well be an attacker ready to steal your data.","speaker":null,"is_sponsor":0},{"start_s":102.28,"end_s":108.68,"text":"The problem for a long time was that certificate authorities charged money for this service up to several hundred dollars","speaker":null,"is_sponsor":0},{"start_s":108.68,"end_s":111.84,"text":"a year, which many site owners just didn't wanna bother with,","speaker":null,"is_sponsor":0},{"start_s":111.84,"end_s":116.88,"text":"especially if they were running smaller websites. But nowadays, it's easy to get certificate signed for free","speaker":null,"is_sponsor":0},{"start_s":116.88,"end_s":123.0,"text":"in large part due to a nonprofit authority called Let's Encrypt, backed by the electronic frontier","speaker":null,"is_sponsor":0},{"start_s":123.0,"end_s":127.88,"text":"foundation as well as several large tech companies. And there's the fact that Chrome started displaying","speaker":null,"is_sponsor":0},{"start_s":127.88,"end_s":132.72,"text":"aggressive looking warnings whenever you visited a site without a certificate signed by a recognized authority,","speaker":null,"is_sponsor":0},{"start_s":132.72,"end_s":135.84,"text":"that got HTTPS adopted role in a bit quicker.","speaker":null,"is_sponsor":0},{"start_s":135.84,"end_s":141.04,"text":"But do keep in mind, you won't see this warning if a site doesn't use HTTPS at all.","speaker":null,"is_sponsor":0},{"start_s":141.04,"end_s":145.84,"text":"So be sure to glance up at the address bar to see if the site is just using plain HTTP.","speaker":null,"is_sponsor":0},{"start_s":145.84,"end_s":150.08,"text":"Also keep in mind that there are ways your employer could still look at your web traffic,","speaker":null,"is_sponsor":0},{"start_s":150.08,"end_s":153.2,"text":"such as through a proxy and putting a custom certificate","speaker":null,"is_sponsor":0},{"start_s":153.2,"end_s":156.76,"text":"authority on your PC. But I'm sure all of you are on your best behavior","speaker":null,"is_sponsor":0},{"start_s":156.76,"end_s":161.2,"text":"on the job. One common misconception is that the HTTPS padlock","speaker":null,"is_sponsor":0},{"start_s":161.2,"end_s":165.44,"text":"means that you're connected to a site that you can trust with your personal information.","speaker":null,"is_sponsor":0},{"start_s":165.44,"end_s":170.4,"text":"This is definitely not the case. There are plenty of phishing sites whose appearance","speaker":null,"is_sponsor":0},{"start_s":170.4,"end_s":174.28,"text":"imitates the legitimate site, but you often can see up in the address bar","speaker":null,"is_sponsor":0},{"start_s":174.28,"end_s":179.0,"text":"that the URL doesn't match the site that you want, so their certificates get signed","speaker":null,"is_sponsor":0},{"start_s":179.0,"end_s":184.52,"text":"because the attackers do own that URL. They aren't trying to get a certificate for the real site,","speaker":null,"is_sponsor":0},{"start_s":184.52,"end_s":188.92,"text":"so look at the URL very closely if you suspect you're the target of a phishing attack.","speaker":null,"is_sponsor":0},{"start_s":188.92,"end_s":192.24,"text":"If you wanna be really careful, check the certificate too.","speaker":null,"is_sponsor":0},{"start_s":192.24,"end_s":195.24,"text":"As another kind of attack called DNS poisoning","speaker":null,"is_sponsor":0},{"start_s":195.24,"end_s":199.16,"text":"can even return a malicious website with a legitimate looking URL.","speaker":null,"is_sponsor":0},{"start_s":199.16,"end_s":204.0,"text":"Here's another important thing to remember. Although HTTPS does technically encrypt","speaker":null,"is_sponsor":0},{"start_s":204.0,"end_s":208.76,"text":"the URL of the webpage you're viewing, the domain and subdomain of the website you're visiting","speaker":null,"is_sponsor":0},{"start_s":208.76,"end_s":213.44,"text":"are still visible if you're using standard unencrypted DNS,","speaker":null,"is_sponsor":0},{"start_s":213.44,"end_s":217.6,"text":"the system that looks up the numerical IP addresses of the domain names that you punch in.","speaker":null,"is_sponsor":0},{"start_s":217.6,"end_s":220.76,"text":"This means that an attacker can look at your DNS query","speaker":null,"is_sponsor":0},{"start_s":220.76,"end_s":224.66,"text":"to figure out what site you're visiting, though not which specific page.","speaker":null,"is_sponsor":0},{"start_s":224.66,"end_s":229.28,"text":"Additionally, even if you're using HTTPS, domain names are initially sent","speaker":null,"is_sponsor":0},{"start_s":229.44,"end_s":232.76,"text":"unencrypted plain text to the server you're trying to access","speaker":null,"is_sponsor":0},{"start_s":232.76,"end_s":238.24,"text":"because of the way TLS works. This is the cryptographic protocol HTTPS uses","speaker":null,"is_sponsor":0},{"start_s":238.24,"end_s":241.92,"text":"to handle encryption. In this first step of the TLS handshake,","speaker":null,"is_sponsor":0},{"start_s":241.92,"end_s":247.02,"text":"the server looks at the plain text domain name to figure out which subdomain the user wants.","speaker":null,"is_sponsor":0},{"start_s":247.02,"end_s":250.94,"text":"Think for example of the two letters before wikipedia.org","speaker":null,"is_sponsor":0},{"start_s":250.94,"end_s":256.32,"text":"that indicate which language you're viewing the site in. The connection is only encrypted after this happens,","speaker":null,"is_sponsor":0},{"start_s":256.32,"end_s":261.86,"text":"making it a fairly significant privacy concern. Although the newest version of TLS has a feature called","speaker":null,"is_sponsor":0},{"start_s":261.86,"end_s":266.3,"text":"ECH meant to plug this hole, it's not yet widespread across the web.","speaker":null,"is_sponsor":0},{"start_s":266.3,"end_s":271.46,"text":"Hopefully we'll see adoption increase over the years, along with that of encrypted DNS.","speaker":null,"is_sponsor":0},{"start_s":271.46,"end_s":274.74,"text":"Neither are perfect silver bullet privacy solutions,","speaker":null,"is_sponsor":0},{"start_s":274.74,"end_s":278.02,"text":"but if that existed, someone out there would probably have a fortune","speaker":null,"is_sponsor":0},{"start_s":278.02,"end_s":282.22,"text":"that would put even daddy Bezos to shame. But whatever the opposite of shame is,","speaker":null,"is_sponsor":0},{"start_s":282.22,"end_s":285.46,"text":"I'm giving to you right now for watching the whole video.","speaker":null,"is_sponsor":0},{"start_s":285.46,"end_s":288.74,"text":"Hey, thanks, like it if you liked it, dislike it if you disliked it,","speaker":null,"is_sponsor":0},{"start_s":288.74,"end_s":294.78,"text":"check out our other videos, comment below with video suggestions, and don't forget to subscribe and follow.","speaker":null,"is_sponsor":0},{"start_s":294.78,"end_s":295.62,"text":"Okay.","speaker":null,"is_sponsor":0}],"full_text":"Most web addresses these days start with HTTPS, which implies that your connection to the website is secure in some way, that's what the S stands for. But what exactly is HTTPS, and how safe is it really keeping you? HTTPS is a protocol that encrypts information sent over the internet, specifically the content that's traveling between your PC or phone and the server for the website you're viewing. Without HTTPS, any of that content, such as private messages, payment info, or the videos you're watching, could be intercepted by an attacker or snoop, such as someone with a packet sniffing program connected to the same Wi-Fi network or by an IT administrator monitoring traffic at your office. Although most websites these days use HTTPS, this wasn't always the case, but why? Well, it had to do with how security certificates worked. That's the electronic document used to generate the HTTPS encryption. Not only does it contain a public key, but it also enables another important function of HTTPS. It lets a user know the site that they're accessing is indeed what the URL says it is. Although anyone can make a certificate, it needs to be signed by an organization called a certificate authority in order for your browser to recognize it as valid and give you that nice little padlock icon up in the corner, it makes me feel so nice. For a certificate authority to sign a certificate, the website owner needs to show that they actually control the domain name on the certificate. Without a certificate authority signature, the encryption will still technically work if the certificate owner self signs it, but the issue is that you, the user at home, won't know who's on the other end of the connection. It could very well be an attacker ready to steal your data. The problem for a long time was that certificate authorities charged money for this service up to several hundred dollars a year, which many site owners just didn't wanna bother with, especially if they were running smaller websites. But nowadays, it's easy to get certificate signed for free in large part due to a nonprofit authority called Let's Encrypt, backed by the electronic frontier foundation as well as several large tech companies. And there's the fact that Chrome started displaying aggressive looking warnings whenever you visited a site without a certificate signed by a recognized authority, that got HTTPS adopted role in a bit quicker. But do keep in mind, you won't see this warning if a site doesn't use HTTPS at all. So be sure to glance up at the address bar to see if the site is just using plain HTTP. Also keep in mind that there are ways your employer could still look at your web traffic, such as through a proxy and putting a custom certificate authority on your PC. But I'm sure all of you are on your best behavior on the job. One common misconception is that the HTTPS padlock means that you're connected to a site that you can trust with your personal information. This is definitely not the case. There are plenty of phishing sites whose appearance imitates the legitimate site, but you often can see up in the address bar that the URL doesn't match the site that you want, so their certificates get signed because the attackers do own that URL. They aren't trying to get a certificate for the real site, so look at the URL very closely if you suspect you're the target of a phishing attack. If you wanna be really careful, check the certificate too. As another kind of attack called DNS poisoning can even return a malicious website with a legitimate looking URL. Here's another important thing to remember. Although HTTPS does technically encrypt the URL of the webpage you're viewing, the domain and subdomain of the website you're visiting are still visible if you're using standard unencrypted DNS, the system that looks up the numerical IP addresses of the domain names that you punch in. This means that an attacker can look at your DNS query to figure out what site you're visiting, though not which specific page. Additionally, even if you're using HTTPS, domain names are initially sent unencrypted plain text to the server you're trying to access because of the way TLS works. This is the cryptographic protocol HTTPS uses to handle encryption. In this first step of the TLS handshake, the server looks at the plain text domain name to figure out which subdomain the user wants. Think for example of the two letters before wikipedia.org that indicate which language you're viewing the site in. The connection is only encrypted after this happens, making it a fairly significant privacy concern. Although the newest version of TLS has a feature called ECH meant to plug this hole, it's not yet widespread across the web. Hopefully we'll see adoption increase over the years, along with that of encrypted DNS. Neither are perfect silver bullet privacy solutions, but if that existed, someone out there would probably have a fortune that would put even daddy Bezos to shame. But whatever the opposite of shame is, I'm giving to you right now for watching the whole video. Hey, thanks, like it if you liked it, dislike it if you disliked it, check out our other videos, comment below with video suggestions, and don't forget to subscribe and follow. Okay."}