1
00:00:00,000 --> 00:00:03,840
Most web addresses these days start with HTTPS,

2
00:00:03,840 --> 00:00:09,880
which implies that your connection to the website is secure in some way, that's what the S stands for.

3
00:00:09,880 --> 00:00:14,600
But what exactly is HTTPS, and how safe is it really keeping you?

4
00:00:14,600 --> 00:00:20,040
HTTPS is a protocol that encrypts information sent over the internet, specifically the content

5
00:00:20,040 --> 00:00:24,680
that's traveling between your PC or phone and the server for the website you're viewing.

6
00:00:24,680 --> 00:00:29,160
Without HTTPS, any of that content, such as private messages, payment info,

7
00:00:29,160 --> 00:00:33,760
or the videos you're watching, could be intercepted by an attacker or snoop,

8
00:00:33,760 --> 00:00:37,600
such as someone with a packet sniffing program connected to the same Wi-Fi network

9
00:00:37,600 --> 00:00:41,240
or by an IT administrator monitoring traffic at your office.

10
00:00:41,240 --> 00:00:44,280
Although most websites these days use HTTPS,

11
00:00:44,280 --> 00:00:49,760
this wasn't always the case, but why? Well, it had to do with how security certificates worked.

12
00:00:49,760 --> 00:00:53,960
That's the electronic document used to generate the HTTPS encryption.

13
00:00:53,960 --> 00:00:59,560
Not only does it contain a public key, but it also enables another important function of HTTPS.

14
00:00:59,560 --> 00:01:04,640
It lets a user know the site that they're accessing is indeed what the URL says it is.

15
00:01:04,640 --> 00:01:08,680
Although anyone can make a certificate, it needs to be signed by an organization

16
00:01:08,680 --> 00:01:13,600
called a certificate authority in order for your browser to recognize it as valid

17
00:01:13,600 --> 00:01:17,880
and give you that nice little padlock icon up in the corner, it makes me feel so nice.

18
00:01:17,880 --> 00:01:23,720
For a certificate authority to sign a certificate, the website owner needs to show that they actually control

19
00:01:23,720 --> 00:01:27,920
the domain name on the certificate. Without a certificate authority signature,

20
00:01:27,920 --> 00:01:33,120
the encryption will still technically work if the certificate owner self signs it,

21
00:01:33,120 --> 00:01:36,320
but the issue is that you, the user at home,

22
00:01:36,320 --> 00:01:42,280
won't know who's on the other end of the connection. It could very well be an attacker ready to steal your data.

23
00:01:42,280 --> 00:01:48,680
The problem for a long time was that certificate authorities charged money for this service up to several hundred dollars

24
00:01:48,680 --> 00:01:51,840
a year, which many site owners just didn't wanna bother with,

25
00:01:51,840 --> 00:01:56,880
especially if they were running smaller websites. But nowadays, it's easy to get certificate signed for free

26
00:01:56,880 --> 00:02:03,000
in large part due to a nonprofit authority called Let's Encrypt, backed by the electronic frontier

27
00:02:03,000 --> 00:02:07,880
foundation as well as several large tech companies. And there's the fact that Chrome started displaying

28
00:02:07,880 --> 00:02:12,720
aggressive looking warnings whenever you visited a site without a certificate signed by a recognized authority,

29
00:02:12,720 --> 00:02:15,840
that got HTTPS adopted role in a bit quicker.

30
00:02:15,840 --> 00:02:21,040
But do keep in mind, you won't see this warning if a site doesn't use HTTPS at all.

31
00:02:21,040 --> 00:02:25,840
So be sure to glance up at the address bar to see if the site is just using plain HTTP.

32
00:02:25,840 --> 00:02:30,080
Also keep in mind that there are ways your employer could still look at your web traffic,

33
00:02:30,080 --> 00:02:33,200
such as through a proxy and putting a custom certificate

34
00:02:33,200 --> 00:02:36,760
authority on your PC. But I'm sure all of you are on your best behavior

35
00:02:36,760 --> 00:02:41,200
on the job. One common misconception is that the HTTPS padlock

36
00:02:41,200 --> 00:02:45,440
means that you're connected to a site that you can trust with your personal information.

37
00:02:45,440 --> 00:02:50,400
This is definitely not the case. There are plenty of phishing sites whose appearance

38
00:02:50,400 --> 00:02:54,280
imitates the legitimate site, but you often can see up in the address bar

39
00:02:54,280 --> 00:02:59,000
that the URL doesn't match the site that you want, so their certificates get signed

40
00:02:59,000 --> 00:03:04,520
because the attackers do own that URL. They aren't trying to get a certificate for the real site,

41
00:03:04,520 --> 00:03:08,920
so look at the URL very closely if you suspect you're the target of a phishing attack.

42
00:03:08,920 --> 00:03:12,240
If you wanna be really careful, check the certificate too.

43
00:03:12,240 --> 00:03:15,240
As another kind of attack called DNS poisoning

44
00:03:15,240 --> 00:03:19,160
can even return a malicious website with a legitimate looking URL.

45
00:03:19,160 --> 00:03:24,000
Here's another important thing to remember. Although HTTPS does technically encrypt

46
00:03:24,000 --> 00:03:28,760
the URL of the webpage you're viewing, the domain and subdomain of the website you're visiting

47
00:03:28,760 --> 00:03:33,440
are still visible if you're using standard unencrypted DNS,

48
00:03:33,440 --> 00:03:37,600
the system that looks up the numerical IP addresses of the domain names that you punch in.

49
00:03:37,600 --> 00:03:40,760
This means that an attacker can look at your DNS query

50
00:03:40,760 --> 00:03:44,660
to figure out what site you're visiting, though not which specific page.

51
00:03:44,660 --> 00:03:49,280
Additionally, even if you're using HTTPS, domain names are initially sent

52
00:03:49,440 --> 00:03:52,760
unencrypted plain text to the server you're trying to access

53
00:03:52,760 --> 00:03:58,240
because of the way TLS works. This is the cryptographic protocol HTTPS uses

54
00:03:58,240 --> 00:04:01,920
to handle encryption. In this first step of the TLS handshake,

55
00:04:01,920 --> 00:04:07,020
the server looks at the plain text domain name to figure out which subdomain the user wants.

56
00:04:07,020 --> 00:04:10,940
Think for example of the two letters before wikipedia.org

57
00:04:10,940 --> 00:04:16,320
that indicate which language you're viewing the site in. The connection is only encrypted after this happens,

58
00:04:16,320 --> 00:04:21,860
making it a fairly significant privacy concern. Although the newest version of TLS has a feature called

59
00:04:21,860 --> 00:04:26,300
ECH meant to plug this hole, it's not yet widespread across the web.

60
00:04:26,300 --> 00:04:31,460
Hopefully we'll see adoption increase over the years, along with that of encrypted DNS.

61
00:04:31,460 --> 00:04:34,740
Neither are perfect silver bullet privacy solutions,

62
00:04:34,740 --> 00:04:38,020
but if that existed, someone out there would probably have a fortune

63
00:04:38,020 --> 00:04:42,220
that would put even daddy Bezos to shame. But whatever the opposite of shame is,

64
00:04:42,220 --> 00:04:45,460
I'm giving to you right now for watching the whole video.

65
00:04:45,460 --> 00:04:48,740
Hey, thanks, like it if you liked it, dislike it if you disliked it,

66
00:04:48,740 --> 00:04:54,780
check out our other videos, comment below with video suggestions, and don't forget to subscribe and follow.

67
00:04:54,780 --> 00:04:55,620
Okay.