Debunking email hoaxes and exposing Internet scams since 2003!


Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider
Bookmark and Share









Difference Between http & https

Summary:
Circulating email advises web users to take note of the differences between "http" and "https" in web addresses to ensure that they only provide sensitive personal and financial information on secure websites (Full commentary below).



Status:
True

Example:(Submitted, January 2009)
Subject: FW: Difference between http & https (no joke)

Don't know how many are aware of this difference, but worth sending to any that do not...... What is the difference between http and https

FIRST, MANY PEOPLE ARE UNAWARE OF
**The main difference between http:// and https:// is It's all about keeping you secure** HTTP stands for Hyper Text Transport Protocol,

Which is just a fancy way of saying it's a protocol (a language, in a manner of speaking) For information to be passed back and forth between web servers and clients. The important thing is the letter S which makes the difference between HTTP and HTTPS.

The S (big surprise) stands for "Secure". If you visit a website or webpage, and look at the address in the web browser, it will likely begin with the following: http://.

This means that the website is talking to your browser using the regular 'unsecure' language. In other words, it is possible for someone to "eavesdrop" on your computer's conversation with the website. If you fill out a form on the website, someone might see the information you send to that site.

This is why you never ever enter your credit card number in an http website! But if the web address begins with https://, that basically means your computer is talking to the website in a secure code that no one can eavesdrop on.

You understand why this is so important, right?

If a website ever asks you to enter your credit card information, you should automatically look to see if the web address begins with https://.

If it doesn't, there's no way you're going to enter sensitive information like a credit card number.

PASS IT ON (You may save someone a lot of grief).




Commentary:
This email forward offers some timely advice that may help many Internet users avoid compromising their security online. The message outlines in plain English the difference between the http and https protocols. It explains why it is important to ensure that a web page is using the secure https protocol before providing financial information such as credit card numbers.

©iStockphoto.com/Alexey Khlobystov

Http Protocol
The information provided in the email is correct and well worth heeding. Hypertext Transfer Protocol (http) is a system that allows the transmitting and receiving of information across the Internet. Http allows information, such as the text you are reading right now, to be accessed from the server by your web browser. While http allows for the quick and easy transmission of information it is not secure and it is possible for a third party to "listen in" to the "conversation" between servers and clients.

For many purposes, such as a website article that is open and available to everyone, this lack of security is of no importance. However, if a website is one that needs to collect private information such as credit card numbers, then a more secure protocol is an important prerequisite. For example, purchasing a product or service online or using Internet banking, it is vital that the exchange of information between clients and servers cannot be easily harvested by third parties. Thus, the https (secure http) protocol was developed to allow the authorisation of users and secure transactions.

So, as the message states, if you are required to provide sensitive personal or financial information on a web page, always ensure that the web address starts with https not just http. Knowing the difference between http and https can certainly help web users keep their information secure. For example, if a webpage, such as an Internet banking login page, that should be secure, uses http rather than https in its address, it may well be a "look-a-like" phishing site designed to steal financial information. A genuine financial institution website would NEVER use the unsecure http protocol on any pages that requires customers to provide personal or financial information.

Unfortunately however, even if a site address does display https, it might still be a bogus phishing web page. Internet criminals can sometimes use clever spoofing techniques to make a fake web page appear to be using the https protocol. Thus, other methods of avoiding phishing scams should also be used.

Note:
Most modern browsers also display a "lock" icon in the status bar or, possibly, in the address field, when a secure https website is being accessed. Generally, you can click on the lock icon to display more information about the secure website.




References:
What is the Difference Between http and https?
Limits to Anti-Phishing
How to Avoid Becoming a Victim of a Phishing Scam

Last updated: 29th January 2009
First published: 29th January 2009

Write-up by Brett M. Christensen