An HTTPS website is more secure because all the information exchanged between the browser and the site's server is encrypted "over the wire". The HTTP protocol establishes connections and data transfer between two computers — the client (e.g. web browser) and the server (the website). These two computers are not physically connected but are both part of a larger network, usually the Internet.
To make this communication possible on the network, the protocol uses data packets that hop from one computer on the network to another until they reach their destination. This means all intermediary nodes that the data packet traverses can read the contents of the data packet. Not only that, intermediaries can even alter the contents of the data packets and the client and server won't even know it.
With HTTPS, these contents are encrypted in a way that only the two communicating computers — the origin and the destination — can decrypt. This provides greater privacy. The encryption happens in a way that also makes data packets tamper-proof. No intermediary nodes can alter the data packet because that would make them un-decryptable, and such tampered packets will be ignored by the client or server.
What is MITM?
MITM stands for "man in the middle", and refers to all intermediary nodes on the network between the client and server. Examples include the ISP (Internet service provider) and the Wi-Fi network that is used to access the Internet.
What is an MITM attack?
An MITM attack occurs when any of the intermediary nodes in the network communication path between the client and the server is compromised via an interception of the data packets.
For example, with plain HTTP, it is trivial for an ISP to read every single piece of information exchanged between the client and the server. Every URL that is browsed, every cookie that is stored, and all the contents and HTTP headers of every page the user browses — all of these are transparent to the ISP. This allows ISPs to block content that they want to censor.
Not only that, ISPs can also intercept and alter the information that is being exchanged between the client and server. For example, the ISP can choose to add advertisements to web pages or even overwrite the website's ads with their own ads. Such abuses have indeed occurred.
Another way an MITM attack could work is on Wi-Fi networks. Since plain HTTP packets are not encrypted, they can be read by any other device on the same Wi-Fi network that is "sniffing" all data being transmitted on the network. This means when you log in to a website over HTTP, any other person on the same network can read your username and password and steal it. A well-known example of this is using a simple tool called Firesheep.
MITM for HTTPS
MITM for HTTP is trivial because data packets are encrypted. MITM for HTTPS is a little harder but can still be done if the user's device is compromised. To understand how, let us dig a little deeper into how HTTPS encryption works.
The fundamental building block of HTTPS is public-key cryptography. One party — the website — creates two keys: a public key and a private key. The public key is used to lock (encrypt) any messages sent to that party. It is public so that anyone can use it to send encrypted messages to them. But the public key cannot decrypt any encrypted messages. To unlock (decrypt) messages requires a corresponding private key. Only the website has its own private key.
The public key of a website is also called its SSL certificate. SSL certificates are issued by trusted certificate authorities. All devices — PCs, Macs, iPads, iPhones, Android phones, you name it — are shipped with a default list of trusted certificate authorities (or root certificates). However, some programs (usually malware but sometimes antivirus software too) install their own root certificates into the list of certificates that the device trusts. This allows the issuer of that "fake" root certificate to pretend to be any website they like. They can then intercept HTTPS traffic, not because they were able to break HTTPS encryption but because they circumvent such encryption by impersonating the website that the device is trying to communicate with. It was discovered in 215 that Lenovo PCs shipped with such malware.
What this means for lay users is this:
- If you're using a website via plain HTTP, any all activity — including passwords — can be intercepted and altered. So there is no privacy nor is there security. There isn't any way to be sure the content you are downloading is "authentic" or what the website actually serves.
- Do not re-use passwords across different sites, especially on HTTP sites.
- If you are downloading anything (especially software executables), do so only via HTTPS websites.
- Do not install unnecessary or untrusted software because it may MITM your traffic or worse.