We often access websites by typing the domain name in the browser’s address bar. At least, I do this a lot. We find it more convenient than using browser bookmarks or accessing via web search. For example, if we want to access Gmail or Facebook, we just type gmail.com or facebook.com in the address bar. Generally, what is the risk of doing this?

Every time we type just the domain name in a browser’s address bar, the default behavior of the browser is to send the first request over an insecure connection (over HTTP). HTTP is a clear text protocol and any data that you send over this connection will be visible for anyone monitoring (or what hacker do, sniffing) the network traffic. Now you might say that even though you type, say, gmail.com, the browser still loads https://www.gmail.com, which is a secure connection and that you’re only keying in your credentials after the page loads over HTTPS. This is true because behind the scenes, the gmail.com server(s) is redirecting you to a secured connection / port. However, there is a little request and response dance that takes place before you see HTTPS and the padlock icon in the browser.

This little dance of request and response in the background is what hackers take advantage of in what is known as protocol downgrade attacks. Hackers, if they’re able to gain a vantage point between your browser and the domain you’re trying to access (man-in-the-middle), can intercept all traffic between your browser and in this case, gmail.com server and maliciously downgrade the connection from HTTPS to HTTP. (In reality, this is not possible on gmail.com due to a security mechanism called HSTS. More on this in the next para) The risk of this type of man-in-the-middle attacks are much higher over public Wi-Fi networks such as airports and coffee shops.

There are browser-based security mechanisms like HTTP Strict Transport Security (HSTS) that ensure that the connection to the website is only made over an secured (HTTPS) channel, even though we just type the domain name in the address bar. Most of the widely popular websites like Gmail have this implemented. However, even HSTS has a limitation that the very first request made to the website still is over HTTP (if accessed just by the domain name). In this case, it is the very first request you make from your PC or mobile to that domain.

Cyber Hygiene: While all this might be a bit complex, one of the simplest and easy Cyber Hygiene practices that we all should cultivate as a habit is to access any domain name by also specifying the protocol. For example, always attach https:// in front of any domain you access. Yes, it’s a bit cumbersome but it a simple yet highly effective habit to keep yourself safe online from attacks such as phishing, sniffing and man-in-the-middle.

Once you access a website by appending https:// in front of the domain name and you see the green padlock in your browser (varies by browser; more on this in latter posts) you can rest assured, even over a pubic Wi-Fi network that you’re accessing the right website. So make HTTPS a habit.