{"id":62682,"date":"2021-10-13T14:47:32","date_gmt":"2021-10-13T21:47:32","guid":{"rendered":"http:\/\/blog.mozilla.org\/foxtail\/2017\/04\/21\/https-protect\/"},"modified":"2021-10-14T16:49:38","modified_gmt":"2021-10-14T23:49:38","slug":"https-protect","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/","title":{"rendered":"HTTPS and your online security"},"content":{"rendered":"\n<p>We have long advised Web users to look for HTTPS and the lock icon in the address bar of their favorite browser (<a href=\"https:\/\/www.getfirefox.com\">Firefox!<\/a>) before typing passwords or other private information into a website. These are solid tips, but it\u2019s worth digging deeper into what HTTPS does and doesn\u2019t do to protect your online security and what steps you need to take to be safer.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Firefox Tips: Weed out weak websites with HTTPS only\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/D6tFXSFFkfY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><b>Trust is more than encryption<\/b><\/h2>\n\n\n\n<p>It\u2019s true that looking for the lock icon and HTTPS will help you prevent attackers from seeing any information you submit to a website. HTTPS also <a href=\"https:\/\/www.wired.com\/2017\/01\/half-web-now-encrypted-makes-everyone-safer\/\">prevents your internet service provider (ISP)<\/a> from seeing what pages you visit beyond the top level of a website. That means they can see that you regularly visit <a href=\"https:\/\/www.reddit.com\">https:\/\/www.reddit.com<\/a>, for example, but they won&#8217;t see that you spend most of your time at <a href=\"https:\/\/www.reddit.com\/r\/CatGifs\/\">https:\/\/www.reddit.com\/r\/CatGifs\/<\/a>. But while HTTPS does guarantee that your communication is private and encrypted, it doesn\u2019t guarantee that the site won\u2019t try to scam you.<\/p>\n\n\n\n<p>Because here\u2019s the thing: Any website can use HTTPS and encryption. This includes the good, trusted websites <i>as well as the ones that are up to no good<\/i> \u2014 the scammers, the phishers, the malware makers.<\/p>\n\n\n\n<p>You might be scratching your head right now, wondering how a nefarious website can use HTTPS. You\u2019ll be forgiven if you wonder in all caps HOW CAN THIS BE?<\/p>\n\n\n\n<p>The answer is that the security of your connection to a website \u2014 which HTTPS provides \u2014 knows nothing about the information being relayed or the motivations of the entities relaying it. It\u2019s a lot like having a phone. The phone company isn\u2019t responsible for scammers calling you and trying to get your credit card. You have to be savvy about who you\u2019re talking to. The job of HTTPS is to provide a secure line, not guarantee that you won\u2019t be talking to crooks on it.<\/p>\n\n\n\n<p>That\u2019s your job. Tough love, I know. But think about it. Scammers go to great lengths to trick you, and their motives largely boil down to one: to separate you from your money. This applies everywhere in life, online and offline. Your job is to not get scammed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><b>How do you spot a scam website?<\/b><\/h2>\n\n\n\n<p>Consider the uniform. It generally evokes authority and trust. If a legit looking person in a spiffy uniform standing outside of your bank says she works for the bank and offers to take your cash in and deposit it, would you trust her? Of course not. You\u2019d go directly to the bank yourself. Apply that same skepticism online.<\/p>\n\n\n\n<p>Since scammers go to great lengths to trick you, you can expect them to appear in a virtual uniform to convince you to trust them. \u201cPhishing\u201d is a form of identity theft that occurs when a malicious website impersonates a legitimate one in order to trick you into giving up sensitive information such as passwords, account details or credit card numbers. Phishing attacks usually come from email messages that attempt to lure you, the recipient, into updating your personal information on fake but very real-looking websites. Those websites may also use HTTPS in an attempt to boost their legitimacy in your eyes.<\/p>\n\n\n\n<p>Here are some things you should do.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><b>Don\u2019t click suspicious links.<\/b><\/h3>\n\n\n\n<p>I once received a message telling me that my Bank of America account had been frozen, and I needed to click through to fix it. It looked authentic, however, I don\u2019t have a BoFA account. That\u2019s what phishing is &#8212; casting a line to bait someone. If I did have a BoFA account, I may have clicked through and been hooked. A safer approach would be to go directly to the Bank of America website, or give them a call to find out if the email was fake.<\/p>\n\n\n\n<p>If you get an email that says your bank account is frozen \/ your PayPal account has a discrepancy \/ you have an unpaid invoice \/ you get the idea, and it seems legitimate, go directly to the source. Do not click the link in the email, no matter how convinced you are.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><b>Stop for alerts.<\/b><\/h3>\n\n\n\n<p>Firefox has a built-in <a href=\"https:\/\/support.mozilla.org\/kb\/how-does-phishing-and-malware-protection-work\">Phishing and Malware Protection feature<\/a> that will warn you when a page you visit has been flagged as a bad actor. If you see an alert, which looks like <a href=\"http:\/\/itisatrap.org\/firefox\/its-a-trap.html\">this<\/a>, click the \u201cGet me out of here!\u201d button.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><b>HTTPS matters<\/b><\/h2>\n\n\n\n<p>Most major websites that offer a customer login already use HTTPS. Think: financial institutions, media outlets, stores, social media. But it\u2019s not universal. Every website out there doesn\u2019t automatically use HTTPS.<\/p>\n\n\n\n<p>With <a href=\"https:\/\/support.mozilla.org\/kb\/https-only-prefs\">HTTPS-Only Mode in Firefox<\/a>, the browser forces all connections to websites to use <b>HTTPS<\/b>. Enabling this mode provides a guarantee that all of your connections to websites are upgraded to use HTTPS and hence secure. Some websites only support HTTP and the connection cannot be upgraded. If HTTPS-Only Mode is enabled and a HTTPS version of a site is not available, you will see a \u201cSecure Connection Not Available\u201d page. If you click <b>Continue to HTTP Site<\/b>, you accept the risk and then will visit a HTTP version of the site. HTTPS-Only Mode will be turned off temporarily for that site.<\/p>\n\n\n\n<p>It\u2019s not difficult for sites to convert. The website owner needs to get a certificate from a certificate authority to enable HTTPS. In December 2015, Mozilla joined with Cisco, Akamai, EFF and University of Michigan to launch <a href=\"https:\/\/letsencrypt.org\/\">Let\u2019s Encrypt<\/a>, a free, automated, and open certificate authority, run for the public\u2019s benefit.<\/p>\n\n\n\n<p>HTTPS across the web is good for Internet Health because it makes a more secure environment for everyone. It provides integrity, so a site can\u2019t be modified, and authentication, so users know they\u2019re connecting to the legit site and not some attacker. Lacking any one of these three properties can cause problems. More non-secure sites means more risk for the overall web.<\/p>\n\n\n\n<p>If you come across a website that is not using HTTPS, send them a note encouraging them to get on board. Post on their social media or send them an email to let them know it matters: <i>@favoritesite&nbsp;I love your site, but I noticed it\u2019s not secure. Get HTTPS from @letsencrypt to protect your site and visitors. <\/i>If you operate a website, encrypting your site will make your it more secure for yourself and your visitors and <a href=\"https:\/\/internethealthreport.org\/v01\/stories\/lets-encrypt-making-the-web-safer\/\">contribute to the security of the web<\/a> in the process.<\/p>\n\n\n\n<p>In the meantime, share this article with your friends so they understand what HTTPS does and doesn\u2019t do for their online security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have long advised Web users to look for HTTPS and the lock icon in the address bar of their favorite browser (Firefox!) before typing passwords or other private information into a website. These are solid tips, but it\u2019s worth digging deeper into what HTTPS does and doesn\u2019t do to protect your online security and [&hellip;]<\/p>\n","protected":false},"author":727,"featured_media":67556,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,289374],"tags":[],"coauthors":[311664],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How does HTTPS protect you (and how doesn&#039;t it?) - The Mozilla Blog<\/title>\n<meta name=\"description\" content=\"HTTPS-Only Mode in Firefox guarantees that connections to websites are encrypted and hence secure. But you still need to watch out for scammers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/\",\"url\":\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/\",\"name\":\"How does HTTPS protect you (and how doesn't it?) - The Mozilla Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2021\/10\/fx_video-thumb_secret-menu_https_chris.jpg\",\"datePublished\":\"2021-10-13T21:47:32+00:00\",\"dateModified\":\"2021-10-14T23:49:38+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/5c987afc4f606be73692d2acfdd1316c\"},\"description\":\"HTTPS-Only Mode in Firefox guarantees that connections to websites are encrypted and hence secure. But you still need to watch out for scammers.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2021\/10\/fx_video-thumb_secret-menu_https_chris.jpg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2021\/10\/fx_video-thumb_secret-menu_https_chris.jpg\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTTPS and your online security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/en\/\",\"name\":\"The Mozilla Blog\",\"description\":\"News and Updates about Mozilla\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/5c987afc4f606be73692d2acfdd1316c\",\"name\":\"M.J. Kelly\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/image\/70718b02fa9f11d88288b937f1da2ac1\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d61ff6a9eb6dd324df20cb773e6c416e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d61ff6a9eb6dd324df20cb773e6c416e?s=96&d=mm&r=g\",\"caption\":\"M.J. Kelly\"},\"description\":\"Mozilla Communications\",\"url\":\"https:\/\/blog.mozilla.org\/en\/author\/mjkellymozilla-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How does HTTPS protect you (and how doesn't it?) - The Mozilla Blog","description":"HTTPS-Only Mode in Firefox guarantees that connections to websites are encrypted and hence secure. But you still need to watch out for scammers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/","url":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/","name":"How does HTTPS protect you (and how doesn't it?) - The Mozilla Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2021\/10\/fx_video-thumb_secret-menu_https_chris.jpg","datePublished":"2021-10-13T21:47:32+00:00","dateModified":"2021-10-14T23:49:38+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/5c987afc4f606be73692d2acfdd1316c"},"description":"HTTPS-Only Mode in Firefox guarantees that connections to websites are encrypted and hence secure. But you still need to watch out for scammers.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#primaryimage","url":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2021\/10\/fx_video-thumb_secret-menu_https_chris.jpg","contentUrl":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2021\/10\/fx_video-thumb_secret-menu_https_chris.jpg","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/en\/firefox\/https-protect\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/en\/"},{"@type":"ListItem","position":2,"name":"HTTPS and your online security"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/en\/#website","url":"https:\/\/blog.mozilla.org\/en\/","name":"The Mozilla Blog","description":"News and Updates about Mozilla","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/5c987afc4f606be73692d2acfdd1316c","name":"M.J. Kelly","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/image\/70718b02fa9f11d88288b937f1da2ac1","url":"https:\/\/secure.gravatar.com\/avatar\/d61ff6a9eb6dd324df20cb773e6c416e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d61ff6a9eb6dd324df20cb773e6c416e?s=96&d=mm&r=g","caption":"M.J. Kelly"},"description":"Mozilla Communications","url":"https:\/\/blog.mozilla.org\/en\/author\/mjkellymozilla-com\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts\/62682"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/users\/727"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/comments?post=62682"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts\/62682\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/media\/67556"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/media?parent=62682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/categories?post=62682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/tags?post=62682"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/coauthors?post=62682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}