Through pressure from Google, Facebook, and other major providers such as Yahoo and Apple the world wide web is slowing becoming more secure, with web services using HTTPS to encrypt web traffic by default. However, the arrival of the draft Investigatory Powers Bill raises questions about who can potentially get access to what – here are some answers.
Can anyone see all my web requests?
Yes. Whenever you see HTTP in the browser’s address bar then any data sent over the link will not be encrypted. This means the address of the page and domain you’re browsing, and any data you send, such as in a form, and any data which is returned.
Can anyone see my web requests if I use HTTPS?
No. If you see HTTPS in the browser’s address bar then the connection is encrypted using SSL/TLS. Only the IP address of the destination (and the port used, usually 443) can be determined. No details of what pages or resources were accessed, nor any further data sent over the connection will be accessible. Google, Facebook and many other major online services now use HTTPS by default, so all your Google search requests, for example, are protected and your ISP cannot see the URL and the results of the request.
If I use HTTPS, will anyone be able to access my details from the remote web server logs?
Yes. HTTPS tunnels encrypt data across the internet to prevent eavesdropping, but the traffic is decrypted at either end so the server log will show details of which IP address has accessed what resource and when. As the SSL/TLS used by HTTPS uses a client-server model, the key required to decrypt the connection is available on the server – unlike with end-to-end encryption services where only the parties involved have the decryption key. This means spies and investigators could serve a warrant and demand the service provider hand over its copy of the decryption key and access your communications. HTTPS only protects the transmission of the data over the internet, and the full details of the request and reply can be logged on the server.