HyperText Transfer Protocol Secure (HTTPS)
The Hypertext Transfer Protocol Secure (HTTPS) is a progression from the original Hypertext Transfer Protocol (HTTP) that facilitates secure communication over TCP connections on a network. HTTPS employs Transport Layer Security (TLS) encryption, previously known as the Secure Sockets Layer (SSL). It is widely used on the internet to facilitate secure communication, such as transactions that require authentication, integrity, and privacy protection.
History and motivation
HTTPS was developed as a means of authenticating clients for accessing websites, improving individual privacy, and the overall integrity of data exchanged between entities. Traffic between the client, server, and intermediaries is encrypted which helps to prevent eavesdropping, corruption caused by hardware or software, and interference by a man-in-the-middle.
The authentication of parties to a communication relies on having a trusted third party. The entity responsible for this uses digital server-side certificates. When a trusted authority signs a digital certificate, it guarantees that the data encrypted using the certificate has been protected by a mechanism that belongs to the server.
Naturally, a third party cannot guarantee against the undetected theft or unauthorized use of a certificate. However, procedures are in place to revoke certificates that are stolen or misused, and they expire, forcing servers to periodically obtain new ones. This helps protect against unauthorized use that may be unnoticed by those responsible for protecting the integrity of the server.
Initially, the reliance on a third-party authority was expensive and consequently, fully authenticated systems using this approach were uncommon. Typically, it was used by secure payment transaction processors and other large corporations. With advances in web browsers and a campaign by the Electronic Frontier Foundation, HTTPS is now the preferred protocol and is used more frequently than non-secure HTTP.
A number of search engines have made being on HTTPS a prerequisite as part of their ranking algorithms, often resulting in a potential ranking boost, such as HTTPS being a part of the page experience signals with Google.
Serving sensitive content and/or to risky audiences, such as minors, over HTTP instead of HTTPS, and thereby allowing potential eavesdropping on your audience, may expose your website to legal liabilities in certain geographic areas such as the European Union.
Client applications such as web browsers have built-in support for third-party certificate authorities. A client accessing a server using HTTPS shall only trust the connection if all of the following conditions hold:
- The vendor of the application software (e.g. web browser) is trusted.
- The vendor can be trusted to implement HTTPS correctly, using pre-installed certificate authorities.
- The certificate authority can be trusted to vouch for legitimate websites, and not for those that are unknown or non-compliant.
- The website provides a valid certificate that was signed by a known certificate authority.
- The certificate correctly identifies the website.
- The encryption layer (TLS/SSL) is secure and adequately protects against eavesdroppers.
HTTPS is a valuable tool for protecting insecure networks, such as public Wi-Fi spots that can be subject to packet sniffing by other users active on the same network.
Because the URL or IP address is part of the protocol, the address or domain name of the web server that the client is accessing is visible to eavesdroppers but more importantly, the traffic between the client and server is encrypted and remains private to anyone inspecting traffic.
Differences between HTTP and HTTPS
When looking at the address bar in a web browser, secure addresses are distinguishable by the protocol itself, and rather than using port
80 by default, HTTPS addresses use port
443 on the server side.
The primary difference is that HTTP is not encrypted and therefore, is subject to man-in-the-middle and eavesdropping attacks. Provided that HTTPS is implemented correctly and uses TLS, as opposed to deprecated versions of SSL, it can withstand such threats.
HTTPS is a secure version of the original Hypertext Transfer Protocol (HTTP) that prevents eavesdropping and other types of attacks that can breach personal privacy and erode data integrity.