According to AbbreviationFinder, HTTPS is a secure hypertext transfer protocol. Combination of Hypertext Transfer Protocol with SSL / TLS protocol to provide encrypted communications and secure identification of a web server on the network. HTTPS connections are often used for payment operations on the World Wide Web and for sensitive transactions in corporate information systems.
History
Netscape Communications created HTTPS in 1994 for its Netscape Navigator browser. Originally, HTTPS was used only for SSL encryption, but this was made obsolete by TLS. HTTPS was adopted as a web standard with the publication of RFC 2818 in May 2000.
Technical characteristics
The HTTPS system uses SSL / TLS- based encryption to create an encrypted channel (whose encryption level depends on the remote server and the browser used by the client) more appropriate for sensitive information traffic than the HTTP protocol. In this way, it is achieved that the sensitive information (user and passwords normally) cannot be used by an attacker who has managed to intercept the transfer of data from the connection, since the only thing that he will obtain will be an encrypted data flow that it will be impossible to decipher.
The standard port for this protocol is 443.
Integration with the Browser
Using the HTTPS protocol does not prevent HTTP from being used.
HTTPS protocols are used by browsers such as: Safari, Internet Explorer, Mozilla Firefox, Opera and Google Chrome, among others.
Some browsers They use an icon (usually a padlock) on the right side of the address bar to indicate the existence of a secure communication protocol and even change the background color of the address bar to blue (Firefox) or green (Internet Explorer) to identify secure web pages. When you connect to a site with an invalid certificate, most modern browsers display an alert throughout the entire window. Most modern browsers also display much more security information about the site in the address bar. Most browsers also display an alert when the user visits a site that contains a mix of encrypted and unencrypted content. To know if a web page that is visited uses the https protocol and is, therefore,
Differences with HTTP
In the HTTP protocol, URLs start with “http: //” and use port 80 by default. HTTPS URLs start with “https: //” and use port 443 by default.
HTTP is insecure and subject to man-in-the-middle and eavesdropping attacks that can allow the attacker to gain access to website accounts and sensitive information. HTTPS is designed to resist such attacks and to be secure.
Network Layers
HTTP operates at the highest layer of the OSI Model, the Application Layer; but the security protocol operates in a lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message once received. Strictly speaking, HTTPS is not a separate protocol, but refers to the use of ordinary HTTP over an encrypted Secure Sockets Layer (SSL) connection or a Transport Layer Security (TLS) connection.
Server Configuration
To prepare a web server that accepts HTTPS connections, the administrator must create a Public Key Certificate for the web server. This certificate must be signed by a Certificate Authority for the web browser to accept it. The authority certifies that the certificate holder is who he claims to be. Web browsers are generally distributed with root certificates signed by most Certification Authorities so they can verify certificates signed by them.
Acquiring Certificates
Acquiring certificates can be free (generally only if you pay for other services).
Organizations can also be their own certification authority, particularly if they are responsible for establishing browser access from their own sites (eg, sites on a company intranet, or major universities). They can easily add copies of their own signed certificate to the trusted certificates distributed with the browser.
There are also peer-to-peer certification authorities.
Use an Access Control
The system can also be used for Client Authentication in order to limit access to a web server to authorized users. To do this, the site administrator typically creates a certificate for each user, a certificate that is stored within their browser. Typically this contains the name and email address of the authorized user and is automatically checked on each reconnection to verify the identity of the user, potentially without having to enter a password each time.
In Case of Compromised Private Keys
A certificate can be revoked if it has already expired, for example when the secret of the private key has been compromised. Newer browsers such as Mozilla Firefox, Opera, and Internet Explorer on Windows 7 implement the Online Certificate Status Protocol (OCSP) to verify that this is not the case. The browser sends the serial number of the certificate to the certification authority or, it is delegated via OCSP and the authority responds, telling the browser whether or not it should consider the certificate as valid.
Limitations
The level of protection depends on the correctness of the implementation of the web browser, the server software, and the currently supported encryption algorithms.
Also, HTTPS is vulnerable when applied to static publishing content available. The entire site can be indexed using a web spider, and the URI of the encrypted resource can be guessed by knowing only the request / response size. This allows an attacker to access Plain Text (static posting content), and Ciphertext (The encrypted version of static content), allowing a cryptographic attack.
Because SSL operates under HTTP and has no knowledge of higher-level protocols, SSL servers can only strictly present a certificate for a particular port / IP combination. This means that in most cases, it is not recommended to use name-based virtual hosting with HTTPS. There is a solution called Server Name Indication (SNI) that sends the hostname to the server before the connection is encrypted, however many older browsers do not support this extension. Support for SNI is available from Firefox 2, Opera 8, and Internet Explorer 7 on Windows Vista.
