Would you hand your laptop over unattended to a stranger for half an hour? Most people would answer "No" to that question for a variety of reasons. However, every time you visit a website over HTTP, this is essentially what you're doing. If you're ever on a website that does not use HTTPS, any data you send or pages you may visit is fully visible to anyone who may be monitoring your traffic — including people on the same network as you, in addition to your ISP and your VPN provider.
While using a VPN largely protects you, there are certain steps you can take to further improve your security and privacy from your ISP, hackers and even your VPN provider.
“If you’re on HTTP, the entire URL and page content is visible to anyone on the network between you and that site. Every page you went to on that site. Any search terms. What articles you’re reading. If you’re on HTTPS, only the domain of the website is visible and not the page you’re looking at. Anyone on the network can still tell what website you went to, but it’s very difficult to determine what you did on that site” - Tim Willis, Google
A lot of websites that handle sensitive information, such as online company websites and banks, already use HTTPS by default. Even Facebook, Google, Twitter, YouTube and Instagram all use HTTPS. As a result of the March 27th vote, several pornographic websites also announced that they would switch over to HTTPS in order to protect their visitors.
Unfortunately, not all websites use HTTPS by default. As an example, if you were to search for that unexplainable rash around your genitals on WebMD, you may as well be shouting it out to everyone on your network and beyond, as WebMD does not use HTTPS.
While someone on your network, ISP or VPN provider can still see that you visited a specific website — any page you visited or any data you transmitted on that website will not be visible if the website uses HTTPS.
“To summarise: current capabilities permit some actors to monitor content and metadata across the Internet at a scale never before seen. This pervasive monitoring is an attack on Internet privacy. The IETF will strive to produce specifications that mitigate pervasive monitoring attacks.” - IETF when talking about the future of the Internet and the importance of HTTPS.
While using a VPN protects your data from your ISP and anyone else between your computer and the VPN servers, a VPN tunnel does not protect your data between the VPN servers and the websites you visit. In order to better protect your data and information throughout the entire process, we strongly recommend you use HTTPS wherever applicable. There are several ways to do this, but perhaps the easiest is to use HTTPS Everywhere, a collaborative effort between the Electric Frontier Foundation and The TOR Project.
HTTPS Everywhere works by checking the domain name you are being redirected to and — if the page supports it — replacing HTTP with HTTPS. In other words, if a friend sends you a link on Facebook, HTTPS Everywhere will check the URL against its ruleset, and if a rule exists, it will automatically redirect you to HTTPS instead of HTTP.
You can see if the page you are visiting uses HTTPS by checking the URL bar. Most browsers will display a green box to the left of the domain name. In these cases, you are connected to the website displayed, which means you are unexposed to MITM attacks, and any information you enter is encrypted. There are three versions of this secure connection:
An extended Validation Certificate (EV) is the OVPN.com use. It is currently the highest validation and requires extensive vetting by the organization issuing the certificate to verify a website’s operational, legal and physical existence. Issuing an EV follows a set of principles and policies that has been globally agreed upon.
Organization Validation (OV) and Domain Validation (DV) certificates both provide the Secure box and padlock in your URL bar. A Domain Validation Certificate requires a simple proof of domain ownership, but is not offered by all certificate providers due to its simplicity. Receiving a Organization Validation Certificate is a slightly more rigorous process, but is much simpler than the strongest Extended Validation Certificate. There is a fourth sub-certificate in this category, a Wildcard Certificate, which can be used on all subdomains.
This icon indicates you are visiting a website using HTTPS that does not have a valid certificate. It is generally not recommended to submit any information through a website without a valid certificate, as its identity can not be guaranteed. Even if the website itself is using HTTPS, not all of the content on the website is secure, and it is generally not recommended to enter any information on a site with this icon.