“https”, or secure http, is an important part of keeping your data safe.But it’s only a part.

Https connections do two things: they encrypt your data so that it is nearly impossible to sniff, and they provide an opportunity for your browser to validate that the website is who you think it is.

Let’s look at each of those in a little more depth.  Encryption is simply a way of scrambling the information that you sent to a web site, and that the web site might send back to you.  In an https connection it works both ways: data that you send, say an account name and password you enter in a login form, is encrypted and sent to the remote site where it is decrypted so it can be used. Data coming back, perhaps the amount of money you have in your checking account when you visit your bank’s site, is encrypted by the web server, sent to your browser, and decrypted so that your browser can display it on screen.  Encryption is important because only you and the remote site can understand the data.   Anyone in between, say someone who’s monitoring the information going to and from your computer  sees only gibberish. It’s an important way to keep your private data out of the hands of hackers and thieves.  Another important aspect of https security, is that it can be used to validate that the site you are connecting to really is who they claim to be. The server-side of an https connection uses information, called a certificate, which can be checked, and validated, against trusted authorities.  If that check fails, then your browser will warn you.  Perhaps the certificate has expired (though you should check your computer’s clock if you see that), or perhaps the certificate does not actually match the site you think you’re visiting.  Both are things that should give you pause.  Now this server validation step is actually a kind of optional part of https.   A server can elect to use an untrusted certificate – but every visitor to that site will get a warning that the certificate is not trusted.   The data will still be encrypted.  Why would a server elect to do that?   Well, certification costs money.   Not a lot, but it is an extra step, and not all cases really require it.  Sometimes encryption is enough. Now, everything I’ve talked about so far is only about the technology of communicating between you and a web server.   Your data is encrypted and you are talking to the web site you think you are.  But it tells you nothing about whether the site you are talking to is legitimate, or whether they are keeping your data safe once it’s on their server.  Your data arrived there safely … but what did they do with it after that?  Any web site owner can easily, and inexpensively throw together https support.   But an https connection doesn’t imply that they are legitimate.  You still need to know who you’re talking to.   Make sure that you’ve got the website URL correct, and that they’re a legitimate business.   That’s what phishing scams are all about … trying to get you to visit sites that look legitimate, but aren’t. And they might even support https.(And don’t forget to keep your side of the connection clean too – practice safe computing!)

Attacker can use the HTTPS protocol on website false or malicious.  Attackers do not often purchase security certificates as its cost and the need to provide information, the possibility of acquiring free certificates is an opportunity for attackers.  Purchase’s of certificates can only be given to a  domain owner.

It is worth mentioning that  browsers like Google Chrome or Firefox had accepted the free certificates before.