Setting your browser to HTTPS-Only Mode is an easy step to take to protect your privacy as you browse the World Wide Web. To understand why it’s necessary, however, we should talk a bit about how the World Wide Web works.
When you visit a World Wide Web page, a number of things happen behind the scenes,
- Your browser sends a message to your internet service provider saying that you want to see a particular page. This message will have,
- The Internet address (aka the “IP address”) of the server hosting the page that you want to see.
- The name of the exact page that you want to see (the server will be hosting a number of pages so you’ll have to specify exactly which one you want).
- Your own IP address. This is necessary because the server hosting the page that you want to see will need to know who to send that page back to.
- Your internet service provider then sends your request along a chain of computers until it finally reaches the computer that is hosting the page that you are interested in.
- The computer that hosts your page will then send the page back to your internet service provider along a similar chain of computers.
- The internet service provider then passes the page to your browser which then displays it on your screen.
This works well but the trouble is that everyone along that communication chain can read and record everything that’s being passed along. Think of it like corresponding with a friend via postcards. You write your friend’s address on the postcard along with your return address and then fill in your message and drop it in the mailbox.
The Postal Service will get the message to your friend but any of the postal workers who are handling the postcard along the way can see your address, your friend’s address, and the message that you are sending.
This method of communicating is called the Hypertext Transport Protocol or HTTP for short. It works just fine for cat videos but is not appropriate for e-commerce or banking. For these, we use the Hypertext Transport Protocol – Secure or HTTPS. In HTTPS, your address and the address of the bank that you’re communicating with are still open for anyone to read but the contents of the message are encrypted.
This is like sending postcards to your friend but writing your message in code. The postal workers can still see that you’re communicating with your friend because you still have to write addresses on the postcard for it to be delivered. They can’t, however, read the message itself and that’s a significant step forward in privacy.
It’s the same with HTTPS – when you visit your bank’s website, all of the computers that are passing your messages back and forth can tell that you’re talking with your bank but they can’t read your conversation (which, the way the economy is going, is likely about your latest checking overdraft fee). Most browsers will show you which mode you’re in by a padlock icon by the web address at the top of the browser. An open padlock shows that you’re in HTTP mode and your conversation is open for all of the computers carrying your messages to see. A closed padlock shows that you’re in HTTPS mode and your conversation is encrypted.
Setting your browser to HTTPS-Only Mode, therefore, is just instructing the browser to communicate with websites ONLY in HTTPS mode – when you do this then all of your web browsing is encrypted no matter whether you’re visiting your bank, watching cat videos, or engaging in political expression. In the past, this wasn’t practical because only banks and e-commerce websites supported HTTPS; everyone else used HTTP. However, thanks to the efforts of the Electronic Frontier Foundation and many others, it’s now the norm for websites to support HTTPS and any modern website you visit will have it. If you try to visit an older website that can’t handle HTTPS, a browser set in HTTPS-Only Mode will show you an alert before connecting to that site.
It’s important to note, however, that HTTPS-Only Mode is not a perfect solution for World Wide Web privacy. It protects you from eavesdropping while your messages are transiting the Internet but it doesn’t conceal the fact that you’re communicating with a specific website. In addition, if you or the other website is hacked then bad actors can get the contents of the conversation that way and not have to bother with eavesdropping at all.
If you are interested in going the extra mile and concealing which websites you’re visiting from prying eyes, you will want to look into a Virtual Private Network (VPN). Be warned, however, VPN’s are a bit more complex and there are some subtleties to their use that you’ll need to consider before choosing a VPN provider.
By contrast, turning HTTPS-Only Mode on is trivial… trivial enough that you should do it now. The links below will show you how to do it for common browsers. For uncommon browsers, you should look the procedure up on Google. Don’t forget to do this on ALL of your devices – cell phones, tablets, laptops, desktops, etc, etc!
- HTTPS-Only Mode in Firefox
- Beebom (instructions for Chrome, Firefox, Edge, and Safari)