What is HTTPS?

Hypertext Transfer Protocol Secure (abbreviated HTTPS according to abbreviationfinder, is a combination of Hypertext Transfer Protocol with the TLS/SSL protocol for providing encrypted communications and determining the security of a web server network. Weblink links for payment transactions on the World Wide Web are often used for sensitive information systems and transactions in companies. HTTPS should not be confused with HTTP Secure

The beginning of the idea

The main idea of ​​networking is to create a secure channel over a secure network. This ensures reasonable protection from eavesdropping, attacks and hackers, provided that adequate suites and ciphers are used and the certificate is verified and the server is trusted. Inherent in HTTPS relies on the trust of major secure certificates that come pre-installed in the browsing program (this is the equivalent of saying “I trust a certificate authority (eg VeriSign/Microsoft/etc.) to tell me to trust it”). A website can be trusted for that web connection if and only if all of the following are true: The user hopes that their software correctly executes their web browser with the certificate authorities correctly pre-installed. The user trusts the authority to certify only legitimate websites without misleading names. The site provides a valid certificate, meaning it has been signed by a trusted authority. (Invalid certificate warning appears in most browsers) The certificate correctly identifies the website (for example visit the website; https://example.com for example and receive a certificate for “Example Company” and nothing else. As for the interference, it jumps onto the Internet Is trustworthy, or the user trusts the layer encryption protocol (TLS or SSL) is unbreakable by an eavesdropper.

Why HTTPS

The problem with the HTTP protocol, as with many protocols designed for the Internet, is that the security aspect is not taken into account. One of the most important security vulnerabilities in it is that the contents of pages and the data sent to them, such as the user name, password, and personal data that are filled out in electronic forms, are sent in an inappropriate manner. It is encrypted, which means that the data sent and received can be easily spied on by hackers. The second problem is the lack of a mechanism to verify the identity of the site being dealt with, which exposes the user to the risk of falling victim to electronic phishing methods when entering a site that is completely similar to the original site (of a bank, for example) and may be similar to it in part of the address with a slight change in The letters. The HTTPS (Hypertext Transfer Protocol Secure) protocol provides the solution to these and other problems by encrypting the data sent between the Internet browser and the website, as it uses the SSL/TLS protocol with the usual HTTP protocol. The keys used for encryption are automatically agreed upon at the beginning of the connection (i.e. when you start accessing the site), and then those keys are used for encryption. In addition to the encryption process, the SSL protocol can verify the identity of the site through the digital certificate that the site presents to the browser at the beginning of the connection, which contains information about the site. The browser verifies this data, such as the address, the certificate’s expiration date, and that the certificate has not been revoked. HTTPS should always be used on sites that require entering important data such as an ID number or credit card number, as well as banking sites and online purchasing sites. Most email sites also use this protocol to protect their users. It is important to emphasize that just the fact that the site uses HTTPS is not enough. Rather, it must be verified that the certificate it carries is valid. Most well-known browsers warn the user when the certificate is invalid or when the site’s identity does not match the certificate data. In that case, one must not continue browsing the site and do not enter Important data to it.

Use on websites

As of April 2018, 33.2% of the top 1,000,000 Alexa websites have started using HTTPS as their default, and 57.1% of the 137,971 most popular websites have a secure implementation of HTTPS ] And 70% of page loads (measured by Firefox Telemetry) use HTTPS. However, although TLS 1.3 was released in 2018, adoption has been slow, and many are still on the older TLS 1.2 protocol.

Integration with the browser

When connecting to a site with an invalid certificate, current older browsers present the user with a “Do you want to continue or not” window? Modern browsers display a warning across the entire window. Modern browsers also display the latest information in the search bar and Extended Verification ( EV ) certificates show the legal entity within the certificate information. Most browsers also display a warning to the user when visiting a site that contains a mix of encrypted and unencrypted content. In addition, many web filters display a security warning when visiting blocked websites.

The Electronic Frontier Foundation believes that “in an ideal world, every web request would default to HTTPS”, so it has introduced an extension called HTTPS Everywhere for Android browsers: Chromium, Firefox, and Google Chrome that enables HTTPS by default. For hundreds of the most used websites. Forcing web browsers to download HTTPS protocol contents only was supported in the Firefox browser starting from version 83 and starting from version 94 of the Google Chrome web browser. “Always use secure connections” became if it was toggled in Browser settings.

Protection

Main article: Transport Layer Security § Security

Before SSL, the protection offered by the HTTPS protocol was based on the TLS architecture, which typically uses long-term public and private keys to generate a short-term session key, which is then used to encrypt the flow of data between client and server. X.509 certificates are used for server authentication and sometimes for client authentication as well. As a result, certificate authorities and public key certificates are necessary to verify the relationship between a certificate and its owner, as well as to create, sign, and manage certificates. While this can be more useful than verifying identities via the Web of Trust (WOT ), the 2013 mass surveillance revelations have drawn attention to certification bodies representing a vulnerability that allows for man- in -the-middle attacks. at-the-middle ).

For HTTPS to be effective, the entire site must be hosted over HTTPS. If some site content was loaded over HTTP (scripts or images, for example), or if only a certain page containing sensitive information was loaded over HTTPS such as a log-in page, while the rest of the site was loaded over HTTP Normally, the user will be vulnerable to attacks and surveillance. In addition, a site served over HTTPS must have the secure feature of cookies enabled. On a site with sensitive information, the user and session will be exposed every time that site is accessed using HTTP instead of HTTPS.

History

Netscape Communications created Secure Hypertext Transfer Protocol in 1994 to work with its Netscape web browser. The protocol was originally used for encryption via SSL, which is SSL that evolved to be TLS.+

What is HTTPS