adam's notes

HyperText Transfer Protocol Secure (HTTPS)

HTTP Secure (HTTPS) is HTTP that uses TLS to establish an authenticated and encrypted connection between a client and server.

  • HTTPS encrypted traffic is sent over TCP port 443
  • web browser will open a secure session to a server providing this service by using a URL starting with https://
    • will show a padlock icon in the address bar to indicate connection is secure
    • padlock icons allows inspection of sites security data
      • e.g., certificate authority that issued the certificate
  • supports mutual authentication

Background

One of the critical problems for the provision of early websites was the lack of security in HTTP.

  • plaintext HTTP is highly vulnerable
    • all data is sent unencrypted
    • no authentication of client or server
  • modern browser will warn users before initiating an unencrypted connection
    • or may refuse connections
  • Secure Sockets Layer (SSL) was developed by Netscape in the 1990s to address these problems
    • proved very popular with the industry
  • Transport Layer Security (TLS) was developed from SSL and ratified as a standard by the IETF

Implementation

  • To implement HTTPS:
    • the web server is installed with a digital certificate issued by some trusted certificate authority (CA)
      • certificate uses encrypted data to prove the identity of the server to the client, assuming that the client also trusts the CA
    • system uses a public/private encryption key pair
      • private key is kept a secret known only to the server
      • public key is given to clients via the digital certificate
    • server and client use the key pair in the digital certificate and a chosen cipher suite within the TLS protocol to set up an encrypted tunnel
      • cannot decrypt the contents of the tunnel without obtaining the server’s private key
  • web browser will open a secure session to an HTTPS server by using a URL starting with https://
    • show a padlock icon in the address bar to indicate that the server’s certificate is trusted and that the connection is secure
    • website can be configured to require a secure session and reject or redirect plain HTTP requests

Graph View

Backlinks