HTTPS

HTTP, or Hyper Text Transfer Protocol, is how ‘pages’ on the Internet and other content are transmitted across the web.

HTTPS is a secured version of HTTP. The HTTPS protocol became a standard in 1994, so it’s been around for about 20 years. 20 years is a long time in computer security.

The HTTPS protocol uses specific steps to secure communications across the Internet. It is implemented between the network layer and the application layer which is below all browsers in the drivers on the client machine. The web browser’s only interaction is to try to show the user whether or not this is a secured connection.

• The client requests content from the Web Server using HTTPS
• The web server responds with a Digital Certificate which includes the server’s public key.
• The client checks to see if the certificate has expired.
• Then the client checks if the Certificate Authority that signed the certificate is a trusted authority in the browser’s trusted authorities. This explains why we need to get a certificate from a a trusted CA (Certificate Authority).
• The client then checks to see if the Fully Qualified Domain Name (FQDN) of the web server matches the Common Name (CN) on the certificate.
• If everything is successful, the SSL connection is initiated.

The Public / Private Keys are purchased from a CA and registered to that domain so that the validity of the key can be certified.

What is HTTPS:

How HTTPS Secures Connections: What Every Web Developer Should Know

Examples of HTTPS Vulnerabilities:

• NSA has cracked encryption protecting your bank account, Gmail, and smartphone
• Step into the BREACH: HTTPS encrypted web cracked in 30 seconds
• Researchers hack Verisign’s ssl scheme for securing web sites
• Has HTTPS finally been cracked? Five researchers deal SSL/TLS a biggish blow…