This primer series is meant to be a less technical discussion around modern security tools and techniques. This may not match the otherwise technical nature of this site.
Internet in a Nutshell
A very long time ago, computers only transferred text to one another. There were no pictures or links, and the text they did transfer was all of one size. You didn’t have bold text or italics for example. Eventually, Tim Berners-Lee invented what he called “Hypertext”, which allowed you to use different text sizes, and to link to other pages. This is what started the term “The web”, since pages all seemed to link to each other in a web-like fashion.
The computer you’re at right now is referred to as a “Client”, or as a “User” of the Internet. When you go to a website, you’re talking to a “Server”. Anybody can run a server, it is simply somebody else’s computer that you’re talking to. When you check your bank, for example, that computer might exist within a large office building that the bank owns.
In order to build a way for “clients” to talk to “servers”, engineers designed a specification, called a protocol, for them to speak. Think about CB Radios or Police Radios. After they speak, they may say “Over” or they may say “10-4” to confirm. This is a protocol that enables rapid and successful communication.
The engineers in this case had built “HyperText Transfer Protocol”, better known as “HTTP”.
Some common use cases for HTTP:
- Helps servers know what you are looking for. For example, it may be a local restaurant’s website — you are asking for their menu
- It tells your computer how big the menu is, so your computer can guess how long it will take to load
- It will also tell your computer if it has permission to store the menu so it doesn’t have to ask the restaurant in the future to view it (called Caching)
- It also communicates status codes, such as “200 OK” or the famous “404 NOT FOUND” error
This worked exactly like your CB radio, or your land-line telephone. Everything that was sent to the server could be heard by other people. For example, if you were talking to your bank, and I picked up a different phone at your house, I could hear you talking to the bank. This is called a “MitM Attack” or “Man-in-the-Middle Attack”.
Obviously, this is concerning because people use the internet to do banking, and passwords to read the news, and send letters to their doctors. All of these are very sensitive.
How do we make this secure?
You may see in this photo above that there is a padlock next to the name of my site. What this means is that my site is using something called “HTTPS”, also known as “HyperText Transfer Protocol Secure”
What this means is that, when you talk to my website, everything you sent is scrambled where it is essentially unable to be listened to. This information is “encrypted.” The process creates a trusted relationship between your computer, and the website’s computer and then shares a “key” that they both know, and that allows them to read each other’s information.
Some important facts:
- HTTPS does not mean it is a trusted site or organization. This simply means that nobody can listen in. Imagine if you were on the phone talking to a scammer, just because it was scrambled doesn’t mean it’s a good idea.
- HTTP is not bad always, some sites are just news sites and don’t share sensitive data, so they don’t encrypt it.
- You should never enter the following information without double checking the site you’re on, and making sure it is HTTPS:
- Social Security Number
- Driver’s License Number
- Date of Birth
- Username, Real Name, or Names of Family Members or Friends
- Credit Card or Debit Card Number
- Membership Numbers
- Bank Account Numbers
- Security Questions (such as ice cream flavors, first car, etc)
- Medical Record Numbers (MRNs) or any medical information (such as prescriptions, disabilities, etc)
- Insurance Information, such as Health, Dental, Vision, Life, Auto, Home, and so on.
The single biggest mistake people make when online is entering their information into the incorrect site. Make sure you are on the site you expect. Google the company if you must, as it is a decent way of checking.