By default, information transmitted over the Internet is sent “in the clear”, i.e. as plain text. A password field in a form may display your keystrokes as dots, but that only prevents someone from literally standing over your shoulder and reading it. When you fill out a form and press submit, or when you use an instant messaging service, all information is sent as plain text by default. In theory, anyone sitting between you and the web server could read that data.
https is the secure transmission of data between the client and the server, meaning that, in theory, no-one – not an employer, not a library, not an internet café, and not a government agency – can read the information during transmission. It is not foolproof, and it is not a guarantee of absolute confidentiality (nothing ever is), but it's a very good start, and reduces opportunities for identity theft.
Some websites insist on using the secure protocol when you visit (financial institutions, gMail, logging in to Amazon) and some offer it as an option (Twitter, Facebook). Generally speaking you should use a secure connection to a site when it is offered; the only downside is that the data, being encrypted, may take slightly longer to be sent back and forth.
How Can I Tell If I Have a Secure Connection?
An encrypted connection is shown in slightly different ways in different browsers (and within different versions of the same browser):
In Chrome: a secure connection is shown in the URL bar; this is also one of the few times that you will see anything before the domain name or the www in Chrome. The https:// protocol is in green, as is a little green padlock to its immediate left. Left-clicking on that icon will provide more information about the security level of the connection.
In Firefox and Safari, the fact that you are using https is shown in the URL bar. In Firefox, clicking on the favicon for the site to the immediate left will show more information about the level of security in place over the connection.
Encrypted Does Not Imply “Safe”
People sometimes assume that encryption means that the site is somehow “safe” or vetted by the browser. The only implication that encryption has is that your data is resistant to a so-called “man-in-the-middle” attempt to steal it. Encryption does not imply that the site is trustworthy, or that it has good service, or even that you are connected to the server you think you are.
How Do I Use https on Facebook, Twitter, Wikipedia and Google?
At the simplest level, typing in https:// before the URL will use a secure connection if it is available. If you wish this to be a permanent choice, so that https is used by default on the site every time you visit, do the following:
Under “Account Security” turn on the “Browse Facebook on a secure connection (https) whenever possible” option and click on “Save”
At the bottom of the page, turn on “Always use HTTPS” and click on “Save”
Now both services will use https by default from any machine you use to visit them from.
Google is now rolling out HTTPS-by-default across all Google sites and services and for all countries, but only with preference for logged-in Google users: if you have gMail open in a browser tab, for example, all other Google services used in that browser will use HTTPS.
Like Google, Wikipedia does not require an account in order to access its secure servers. You simply need the correct URL - (https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page) - to provide a secure connection. However Wikipedia does not yet secure all of its communication, so pages received from the server will be “mixed” content: text is encrypted during transit, but images (as of this writing) are not. Your browser will likely make note of this fact. Still, using even partial encryption is preferable to none at all.
As an alternative to all of these, you can use a browser extension such as HTTPS-Everywhere, which will force websites that you visit to use a secure connection if it is available. However, this is a per-browser approach (the extension must be on every computer and every browser you use) rather than a service-based approach (typified by the steps above, in which you are telling the service to always use https no matter where you are connecting from, or what browser or device you are using to do so). Per-browser tends to be less efficient.