Using HTTPS for Secure Mobile Browsing

Posted by MelissaLoudon on Jul 11, 2011

HTTP, the Hypertext Transfer Protocol, is the data communication protocol you use when you broswe the web - as you probably know if you've noticed that website addresses usually begin with http://. HTTPS is the secure version of HTTP, which you might have seen being used for sensitive transactions like online banking and online shopping. When you are using the secure part of a site, the web address will begin with https://.

When using your mobile phone for sensitive communications, it is important to ensure that your online activities - whether researching or reading about an issue, sending an email, writing a blog post or uploading photos - are done over a secure connection. There are three elements of secure web browsing:

  • Data must be transmitted in encrypted form, so that if it is intercepted it is unreadable.
  • The identity of the website must be verified before sensitive data is transmitted.
  •  If you do not want anyone to know that you are accessing a site, the source of the transmission (i.e. you) must be hidden, or anonymized.

HTTPS provides the first two of these. The identity of the remote site is verified by checking for a certificate, and the certificate is used to encrypt the transaction so that only the sender and the positively identified remote site can decrypt it. If you also need to anonymize your data, you should use a proxy or a service like Tor in addition to HTTPS.

Am I Browsing Securely?

To make sure that you are browsing securely, look for the following:

It’s a good idea to check for these two things whenever you are entering sensitive data - your username and password for an online account, your credit card details, a photo or video. Be aware that some sites may only support https for certain activities. Others, like Twitter and Facebook, may allow you to activate a setting to always use https, but still use http by default on the mobile version of the site.

Can Communications over HTTPS Be Compromised?

Even when using HTTPS, it is possible (though much less likely) that your communications can be eavesdropped. The two attacks below are used to obtain the unencrypted contents of your communication, which may include passwords, identity numbers, or credit card details.

  • A man-in-the-middle attack occurs when someone on the same network as you (commonly on an open WiFi network, which you should avoid for sensitive activities) intercepts communication between you and a remote site. You think you are communicating with the remote site, but you are communicating with the man in the middle. The remote site thinks they are communicating with you, but they too are deceived. The man-in-the-middle sees both sides of the communication unencrypted.
  • An attack on a certificate authority (CA) occurs when an attacker aquires control of a certificate issuing authority (CA) and are able to issue fake SSL certificates. In this case, the remote site identifies itself to be exactly who you expect - your webmail, your bank - but is in fact a malicious impersonator. A recent attack on certificate issuing authority  Comodo briefly allowed an Iranian-based attacker to issue valid certificates for Gmail, Skype and Hotmail.

How Can I Make My Mobile Browsing Safer?

Unfortunately, many of the security features we take for granted in modern web browsers are harder to implement in mobile browsers.

  • Be particularly cautious about unknown or suspicious-looking sites when browsing from you phone.
  • Use a well-patched, up-to-date browser on a PC to check out a site before using it for sensitive communications on your phone.
  • When accessing sites you use often, watch out for any unusual warning messages. The warning below is your browser’s way of alerting you to a mismatch between the URL of the website and the URL for which a certificate has been issues. This is usually because of an administrative mistake, but could be a sign of a man-in-the-middle attack.
  • If you are using a smartphone, make sure you are receiving updates to your mobile browser as well as to your operating system.



Https and circumvention tools

Thank you Mobile active for these explanations and for your great work.

I don't know if you could have a look at the Floss Manual but there is a chapter dealing with https everywhere, a firefox addons that encrypts the communications with some major websites and facilitates the use of https.

The explanations are here and may be interesting for you readers.



https on mobile

Thanks for this - and yes, we are fans of Flossmanuals. In fact, we submitted a few manuals ourselves but it wasn't quite 'floss' enough :) We love https everywhere as well - great tool. We are ardent users. Note that this focuses on MOBILE browsing, however - where things get a little trcikier. We need https everywhere for mobile browsing :) 

https on mobile

Thank you Katrin for the reminder ;) But maybe the EFF is working on a mobile version of https since this call.


Also, I made some searching and reading, and it appears that, even though there are some results from Firefox mobile addons search for SSL and https, there is a lack of circumvention tools for mobile phones

Given this context, I wonder how Mobileactive is involved in development of new mobile circumvention and security tools ?


https everywhere mobile


Yes, though this work is hard :) Firefox mobile is not very well used, and for other browswers we are looking into what it would take. It might be a 'launcher app' that uses EFF's https database and calls on the secure URL when a specific account (twitter, FB, yahoo, etc is called) to force an https session. We are definitely exploring this! 



Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><p><br> <b><i><blockquote>
  • Lines and paragraphs break automatically.

More information about formatting options