HTTPS is not a magic bullet for Web security

[Commentary] We're in the midst of a major change sweeping the Web: the familiar HTTP prefix is rapidly being replaced by HTTPS. That extra "S" in an HTTPS URL means your connection is secure and that it's much harder for anyone else to see what you're doing. And on today's Web, everyone wants to see what you're doing. The push for HTTPS everywhere is about to get a big boost from Mozilla and Google when both companies' Web browsers begin to actively call out sites that still use HTTP. The plan is for browsers to start labeling HTTP connections as insecure.

In other words, instead of the green lock icon that indicates a connection is secure today, there will be a red icon to indicate when a connection is insecure. Eventually secure connections would not be labeled at all, they would be the assumed default. Unfortunately HTTPS advocates sometimes present HTTPS as synonymous with "security." The phrase "secure Web" gets used a lot in discussions, but as those three retailers illustrate, using HTTPS does not mean a website is necessarily secure. In fact, HTTPS says nothing about the website, the server it resides on, or what happens to whatever data you might give it. And therein ultimately lies the biggest challenge for HTTPS—people need to understand what it means.