When you surf the web you may require privacy, whether it's because you're sending financial details, researching sensitive information or simply wanting to keep your data to yourself. For this purpose, an increasing number of websites and services are using secure web connections, shown by a padlock or similar indication in your browser's address bar. Such websites also use " https:// " at the beginning of their address rather than " http:// ". Think of it as automatic encryption. But what protection does that give you? How much of your surfing data is secure?

To find out, I'm going to use packet analyzing software to spy on myself as I browse the web and see what information is visible. The software I'm using, Wireshark, is free and open source and there are many similar tools available. The following is a crude test but I hope to show what that little padlock means in most circumstances.

General content

Firstly let's look at the content of a basic web page. The standard example website used by many tutorials is example.com which helpfully has both an encrypted (secure) and unencrypted version. The content is simply a short message and a link saying "More information". In Wireshark I searched for the word "information" and this is the result:

The content is readable over a non-secure connection.

As you can see, it found the word "information" together with the rest of the page's content. In other words, everything I can see in the browser is also easily visible to anyone spying on me.

The content is encrypted over a secure connection.

With the secure version, however, the content is encrypted and although Wireshark shows lots of packets of data, I have no idea what they contain.

Domains

Now we've seen the effect of a secure connection, let's see what other information it hides starting with the most fundamental — the domain name. This is the part of the web address (URL) that ends in .com , .org or similar. I'm switching websites this time and capturing data packets when I visit duckduckgo.com which is secure by default — we can tell by the " https:// " at the beginning of the address. Looking at Wireshark's results, I quickly find a data packet containing the domain name, as you can see:

It may be surprising that the domain name is clearly visible but not only is it normal, it's essential. Without it, your router and internet servers beyond wouldn't know where to send your requests for web pages. It's a bit like the luggage tag that's put on your suitcase when you check in at an airport — it needs to be visible for the various staff to send it to the right city.

Sub-domains

Sub-domains are areas within a domain. If we stick with the airport analogy, they're the equivalent of having one or more airports within a city. Consequently sub-domain names, for example beta.duckduckgo.com, are also visible within data packets even over a secure connection.

Individual pages

This is where things get reassuring. Like your luggage when it arrives at an airport, there's no need for its subsequent precise destination to be public. In the case of data packets, the server at the destination domain (or sub-domain) should be able to decrypt the precise destination and so directory and page names are therefore not visible to external observers. This includes other parameters in the address such as ?query=keyword#target .

Form data

Finally, what about web forms which are often used for sensitive personal data? Sometimes this is sent as part of a web page's address, in which case we now know it's safely encrypted. Many times it's not however, and is sent by the browser passing on your information in the background. Fortunately this is treated similar to other content and encrypted when a secure connection is used. In fact when checking data packets I was not even able to tell what was form data, what was a page name and what was regular content. This is how it should be when data is encrypted.

Being careful

So as you can see, it's simple to summarize what data is protected when using a secure web connection:

Domain and sub-domain: Unencrypted, i.e. visible

Unencrypted, i.e. visible All other data: Encrypted, i.e. hidden

You may think you don't need such protection and that internet spying only happens on a large scale or to high-profile people, but in fact when you're in a cafe, hotel, workplace or even in your own home, it's still possible for someone to monitor your data as shown here. Using secure web connections is an easy way to increase your privacy.

Unfortunately you can only use a secure web connection with websites that support it. DuckDuckGo does by default of course but there are many that don't. However, there's a browser extension called HTTPS Everywhere that will make sure encryption is used when available. It works in the background, silently redirecting you to secure connections when it can. I recommend installing it in your browser as well as keeping an eye on the address bar, looking out for that padlock.

The small print

Note that this experiment assumes the server and browser settings are secure and trustworthy, and that an attacker doesn't have access to decryption keys or other privileges. Be aware that even with secure HTTPS pages you are not necessarily invincible. You still have to trust your computer, browser, ISP and every other part of the chain to the websites you visit, but the risks are greatly reduced.

Further reading

Now you know more about secure connections, learn about what security certificates do in our follow-up post.