Visit

Visit

HTTP intranet or HTTPS intranet ?

Intranets are normally considered internal applications so sometimes don’t get the security considerations that they so richly deserve.  A good example of this is that other day a friend of mine was showing me their corporate intranet to get my opinion on a new homepage they launched.

I sat down (having warned them that they really need to speak to an expert on user experience like @paul zimmerman), however as I was their and they are a mate I said I would give them what help I could.

Initially I was distracted by the colour selection on the page and the barrage of information, but once I got past that something was bothering me and it took me a few seconds to realise that the url was using “http intranet” and not “https intranet”!!!!

I was stunned and when I sharply said “hang on thats wide open” they dismissed me saying that it was not important as it was only internal (note: this was not an IT person but a senior manager who should have known better),  I asked if they knew what it meant, to which the reply was “of course, it’s for if you’re buying stuff online so you know who you are dealing with”.

To be fair that’s not the worst answer in history, but I realised that she had a fundamental lack of knowledge on what it actually did, so I explained it and she texted me today to say it was now moved to “https.intranet” .

So here is a hopefully simple explanation that I hope helps people to understand why “even” your intranet needs to use https instead of http.

  • Http stands for Hypertext Transfer Protocol
  • Https stands for HTTP over SSL/ HTTP Secure

So in basic terms the S stands for Secure.

This is achieved in two primary ways:

1) Encryption

http://intranet.something is NOT encrypted

https://intranet.something IS encrypted

So when you transfer information via http intranet including typing in your username and password, it is clearly visible to anyone who knows how that has access to your network whereas if you’re using https intranet then it is secure from the browser to the end of the connection.

This means that if you post a message in a secret group on your Intranet about possible restructure of the IT department it is perfectly possible that one of the IT department would be able to see that message and know what you are saying without you ever knowing it is being monitored.  It does not take a real IT expert to do this, most mid level IT people are more than capable of doing this.

2) Certificates

Essentially this is a document that is signed by a 3rd party to gurantee you are talking to who you expect to be talking to when using a website/intranet.

So your browser double checks that the certificate is valid and you are not talking to a clone that has been put in place to con you.

So please make sure that your intranet uses https://intranet.something and not http://intranet.something.