What is HTTPS?
HTTPS stands for Hyper Text Transfer Protocol Secure. It is a more secure version of HTTP which employs the use of Transport Layer Security (TLS) or Secure Socket Layer (SSL) as a sublayer under the usual HTTP application layering.
HTTP is the protocol over which a website and a user’s browser exchange data. The extra layer of security added in HTTPS serves to encrypt and decrypt all communications between both ends, including user pages and pages returned by the web server.
HTTPS is particularly useful for protecting confidential private information such as a user’s bank details, as it provides protection against malicious attacks such as man-in-the-middle attacks and eavesdropping. In essence, HTTPS has been adopted as a result of the need to authenticate the visited website, and guard the integrity and privacy of the data being exchanged.
Background of HTTPS
The company behind the development of HTTPS is Netscape Communications, which was a computer services firm recognised for Navigator. In the 1990s, Navigator was one of the two most predominant browsers in wide use.
Initially, HTTPS was employed predominantly for websites where users had to enter sensitive information at some point, such as credit card details. These included banking websites, online stores and other kinds of websites where visitors could make purchases. Other than payment transactions, HTTPS was also widely used in corporate information systems to protect sensitive transactions. It was not until the late 2000s to early 2010s that many other kinds of websites began to use HTTPS to secure user accounts and to maintain privacy for user identity and communications.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
SSL or Secure Sockets Layer is the standard technology used in HTTPS connections to protect any sensitive information (such as login details and credit card details) being transmitted between one system and another. One system can be a client such as a browser, and the other, a server such as a shopping website. Communication might also be between two servers.
SSL works by making any information transferred between systems impossible to read by scrambling the data using encryption algorithms. TLS or Transport Layer Security is an updated version of SSL that provides better security.
HTTPS in modern internet usage
HTTPS is widely used in the internet today where it serves to authenticate the website and the corresponding web server which the user is communicating with. By providing bidirectional encryption of the exchange of information between the server and client, HTTPS not only provides protection against eavesdropping, but also falsifying or doctoring the information that is being sent and received.
Internet users are able to see indications that a site they are visiting is secure when they use web browsers like Chrome, Firefox, and Internet Explorer. The address bar of these browsers usually show a green padlock icon, indicating that the site being visited uses HTTPS and so is secure. This assures users that they are actually communicating with the site they intend to communicate with, and not an imposter. They are also assured that their information cannot be read or falsified by a third party who might be spying on the network.
Mozilla reports that more than 50% of all web traffic has been encrypted since January 2017, and 45% of all page loads use HTTPS, as measured by Firefox Telemetry.
How HTTPS works
HTTPS pages usually employ either TLS or SSL secure protocols to ensure encryption of communications. Both protocols use an asymmetric PKI (Public Key Infrastructure) system, which is a cryptographic system that uses two keys to encrypt exchange of information; a private key and a public key that are mathematically linked together. While the public key encrypts plaintext to “ciphertext”, the private key is used to do the reverse, that is, decrypt back to plaintext.
Only the corresponding private key can be used to decrypt a message encrypted by a public key. The private key should be kept secret and accessible only by its owner, and a website’s private key should be kept securely positioned on the web server. The public key, however, can be shared with anybody who needs to have access to the encrypted information.
Public key cryptography allows two parties who had no preliminary knowledge of each other to establish a secure connection even when communication was initially over an open, insecure connection. The server and the client both settle on a mutual secret key for the session while they each use their respective private keys. This way, a third party who is watching the connection will be unable to determine the secret key for the session, or the private keys of either the server or the client.
Public key certificates and certificate authorities are required to create, sign, and direct the authenticity of certificate, as well as corroborate the connection between a certificate and its owner. This is preferable to authenticating the identities through a web of trust, but certificate authorities have been found to be a potential weak point that could permit man-in-the-middle attacks.
A crucial consideration when discussing security of HTTPS connections is forward secrecy, which prevents encrypted communications that have been recorded previously from being recovered and decrypted in the event that long-term passwords or keywords are compromised at a later time. Because forward secrecy is not a property that is supported by all web servers, it is important for a user to check themselves.
Websites that have sensitive user data anywhere on the site will expose both the session and the user every time the site is accessed over an unsecure connection. When a website is not entirely hosted over HTTPS, but has a number of its pages loading over HTTP, this might result in the user’s session being susceptible to certain kinds of attacks and being watched by malicious third parties. The same applies when it is only a single page that is used to collect sensitive user data that is loaded over an HTTPS connection, while all the other pages are loaded over HTTP.