WEBVTT

00:00:00.000 --> 00:00:03.840
Most web addresses these days start with HTTPS,

00:00:03.840 --> 00:00:09.880
which implies that your connection to the website is secure in some way, that's what the S stands for.

00:00:09.880 --> 00:00:14.600
But what exactly is HTTPS, and how safe is it really keeping you?

00:00:14.600 --> 00:00:20.040
HTTPS is a protocol that encrypts information sent over the internet, specifically the content

00:00:20.040 --> 00:00:24.680
that's traveling between your PC or phone and the server for the website you're viewing.

00:00:24.680 --> 00:00:29.160
Without HTTPS, any of that content, such as private messages, payment info,

00:00:29.160 --> 00:00:33.760
or the videos you're watching, could be intercepted by an attacker or snoop,

00:00:33.760 --> 00:00:37.600
such as someone with a packet sniffing program connected to the same Wi-Fi network

00:00:37.600 --> 00:00:41.240
or by an IT administrator monitoring traffic at your office.

00:00:41.240 --> 00:00:44.280
Although most websites these days use HTTPS,

00:00:44.280 --> 00:00:49.760
this wasn't always the case, but why? Well, it had to do with how security certificates worked.

00:00:49.760 --> 00:00:53.960
That's the electronic document used to generate the HTTPS encryption.

00:00:53.960 --> 00:00:59.560
Not only does it contain a public key, but it also enables another important function of HTTPS.

00:00:59.560 --> 00:01:04.640
It lets a user know the site that they're accessing is indeed what the URL says it is.

00:01:04.640 --> 00:01:08.680
Although anyone can make a certificate, it needs to be signed by an organization

00:01:08.680 --> 00:01:13.600
called a certificate authority in order for your browser to recognize it as valid

00:01:13.600 --> 00:01:17.880
and give you that nice little padlock icon up in the corner, it makes me feel so nice.

00:01:17.880 --> 00:01:23.720
For a certificate authority to sign a certificate, the website owner needs to show that they actually control

00:01:23.720 --> 00:01:27.920
the domain name on the certificate. Without a certificate authority signature,

00:01:27.920 --> 00:01:33.120
the encryption will still technically work if the certificate owner self signs it,

00:01:33.120 --> 00:01:36.320
but the issue is that you, the user at home,

00:01:36.320 --> 00:01:42.280
won't know who's on the other end of the connection. It could very well be an attacker ready to steal your data.

00:01:42.280 --> 00:01:48.680
The problem for a long time was that certificate authorities charged money for this service up to several hundred dollars

00:01:48.680 --> 00:01:51.840
a year, which many site owners just didn't wanna bother with,

00:01:51.840 --> 00:01:56.880
especially if they were running smaller websites. But nowadays, it's easy to get certificate signed for free

00:01:56.880 --> 00:02:03.000
in large part due to a nonprofit authority called Let's Encrypt, backed by the electronic frontier

00:02:03.000 --> 00:02:07.880
foundation as well as several large tech companies. And there's the fact that Chrome started displaying

00:02:07.880 --> 00:02:12.720
aggressive looking warnings whenever you visited a site without a certificate signed by a recognized authority,

00:02:12.720 --> 00:02:15.840
that got HTTPS adopted role in a bit quicker.

00:02:15.840 --> 00:02:21.040
But do keep in mind, you won't see this warning if a site doesn't use HTTPS at all.

00:02:21.040 --> 00:02:25.840
So be sure to glance up at the address bar to see if the site is just using plain HTTP.

00:02:25.840 --> 00:02:30.080
Also keep in mind that there are ways your employer could still look at your web traffic,

00:02:30.080 --> 00:02:33.200
such as through a proxy and putting a custom certificate

00:02:33.200 --> 00:02:36.760
authority on your PC. But I'm sure all of you are on your best behavior

00:02:36.760 --> 00:02:41.200
on the job. One common misconception is that the HTTPS padlock

00:02:41.200 --> 00:02:45.440
means that you're connected to a site that you can trust with your personal information.

00:02:45.440 --> 00:02:50.400
This is definitely not the case. There are plenty of phishing sites whose appearance

00:02:50.400 --> 00:02:54.280
imitates the legitimate site, but you often can see up in the address bar

00:02:54.280 --> 00:02:59.000
that the URL doesn't match the site that you want, so their certificates get signed

00:02:59.000 --> 00:03:04.520
because the attackers do own that URL. They aren't trying to get a certificate for the real site,

00:03:04.520 --> 00:03:08.920
so look at the URL very closely if you suspect you're the target of a phishing attack.

00:03:08.920 --> 00:03:12.240
If you wanna be really careful, check the certificate too.

00:03:12.240 --> 00:03:15.240
As another kind of attack called DNS poisoning

00:03:15.240 --> 00:03:19.160
can even return a malicious website with a legitimate looking URL.

00:03:19.160 --> 00:03:24.000
Here's another important thing to remember. Although HTTPS does technically encrypt

00:03:24.000 --> 00:03:28.760
the URL of the webpage you're viewing, the domain and subdomain of the website you're visiting

00:03:28.760 --> 00:03:33.440
are still visible if you're using standard unencrypted DNS,

00:03:33.440 --> 00:03:37.600
the system that looks up the numerical IP addresses of the domain names that you punch in.

00:03:37.600 --> 00:03:40.760
This means that an attacker can look at your DNS query

00:03:40.760 --> 00:03:44.660
to figure out what site you're visiting, though not which specific page.

00:03:44.660 --> 00:03:49.280
Additionally, even if you're using HTTPS, domain names are initially sent

00:03:49.440 --> 00:03:52.760
unencrypted plain text to the server you're trying to access

00:03:52.760 --> 00:03:58.240
because of the way TLS works. This is the cryptographic protocol HTTPS uses

00:03:58.240 --> 00:04:01.920
to handle encryption. In this first step of the TLS handshake,

00:04:01.920 --> 00:04:07.020
the server looks at the plain text domain name to figure out which subdomain the user wants.

00:04:07.020 --> 00:04:10.940
Think for example of the two letters before wikipedia.org

00:04:10.940 --> 00:04:16.320
that indicate which language you're viewing the site in. The connection is only encrypted after this happens,

00:04:16.320 --> 00:04:21.860
making it a fairly significant privacy concern. Although the newest version of TLS has a feature called

00:04:21.860 --> 00:04:26.300
ECH meant to plug this hole, it's not yet widespread across the web.

00:04:26.300 --> 00:04:31.460
Hopefully we'll see adoption increase over the years, along with that of encrypted DNS.

00:04:31.460 --> 00:04:34.740
Neither are perfect silver bullet privacy solutions,

00:04:34.740 --> 00:04:38.020
but if that existed, someone out there would probably have a fortune

00:04:38.020 --> 00:04:42.220
that would put even daddy Bezos to shame. But whatever the opposite of shame is,

00:04:42.220 --> 00:04:45.460
I'm giving to you right now for watching the whole video.

00:04:45.460 --> 00:04:48.740
Hey, thanks, like it if you liked it, dislike it if you disliked it,

00:04:48.740 --> 00:04:54.780
check out our other videos, comment below with video suggestions, and don't forget to subscribe and follow.

00:04:54.780 --> 00:04:55.620
Okay.