Search

Understanding HTTPS

Ekansh
Apr 16, 2018
3 min read

What is HTTPS ?

HTTPS (HTTP Secure) is secure version of Hyper Text Transfer Protocol(HTTP),the protocol over which the data is sent between your browser and the website, widely used on the internet.
In HTTPS, the communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS,or HTTP over SSL.
All communications between your browser and the website are encrypted.
Inshort HTTP + SSL = HTTPS.
Web browsers displays a padlock icon in the address bar to visually indicate that a HTTPS connection is in effect.

The easiest way to check if a site is secure is to see for the HTTPS at the beginning of the URL.

By Default, it uses port 443.
HTTPS protocol used in many scenarios such as banking website, shopping websites, Login Pages etc.

Difference between HTTP and HTTPS

HTTP, URL begins with “http://” whereas URL starts with “https://”
HTTP uses port number 80 for communication and HTTPS uses 443.
HTTP is considered to be unsecured and HTTPS is secured.
HTTP Works at Application Layer and HTTPS works at Transport Layer.
In HTTP, Encryption is absent and Encryption is present in HTTPS.
HTTP does not require any certificates and HTTPS needs SSL Certificates.

Basic Working of HTTPS

HTTPS pages typically use one of two secure protocols to encrypt communications - SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an 'asymmetric' Public Key Infrastructure (PKI) system. An asymmetric system uses two 'keys' to encrypt communications, a 'public' key and a 'private' key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.

As the names suggest, the 'private' key should be kept strictly protected and should only be accessible the owner of the private key. In the case of a website, the private key remains securely ensconced on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.

Working

Public key and signed certificates are required for the server in HTTPS Protocol.
Client requests for the https:// page.
When using an https connection, the server responds to the initial connection by offering a list of encryption methods the webserver supports.
In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities.
After this is done, both webserver and client exchange the encrypted information after ensuring that both are using the same key, and the connection is closed.
For hosting https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner's identity.
Almost all certificates are verified by a third party so that clients are assured that the key is always secure.

What is a HTTPS certificate?

When you request a HTTPS connection to a webpage, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the 'SSL handshake'.
The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website.
When a trusted SSL Digital Certificate is used during a HTTPS connection, users will see a padlock icon in the browser address bar. When an Extended Validation Certificate is installed on a web site, the address bar will turn green.

Why Is an SSL Certificate Required?

All communications sent over regular HTTP connections are in 'plain text' and can be read by any hacker that manages to break into the connection between your browser and the website.
This presents a clear danger if the 'communication' is on an order form and includes your credit card details or social security number.
With a HTTPS connection, all communications are securely encrypted.
This means that even if somebody managed to break into the connection, they would not be able decrypt any of the data which passes between you and the website.