HTTPS Protocol

From GM-RKB
(Redirected from HTTPS)
Jump to navigation Jump to search

A HTTPS Protocol is a communications protocol that supports HTTP over an SSL/TLS Protocol.

References

2014

  • (Wikipedia, 2014) ⇒ http://en.wikipedia.org/wiki/HTTP_Secure Retrieved:2014-5-7.
    • Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. The main motivation for HTTPS is to prevent wiretapping and man-in-the-middle attacks.

      The security of HTTPS is therefore that of the underlying TLS, which uses long term public and secret keys to exchange a short term session key to encrypt the data flow between client and server. An important property in this context is perfect forward secrecy (PFS), so the short term session key cannot be derived from the long term asymmetric secret key; however, PFS is not widely adopted.[1]

      To guarantee one is talking to the partner one wants to talk to, X.509 certificates are used. As a consequence, certificate authorities and a public key infrastructure is necessary to verify the relation between the owner of a certificate and the certificate, as well as to generate, sign, and administer the validity of certificates. While this can be more beneficial than verifying the identities via a web of trust, the 2013_mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks. [2] [3] In its popular deployment on the internet, HTTPS provides authentication of the web site and associated web server that one is communicating with, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with precisely the web site that one intended to communicate with (as opposed to an imposter), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.

      Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in corporate information systems. In the late 2000s and early 2010s, HTTPS began to see widespread use for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

      A site must be completely hosted over HTTPS, without having some of its contents loaded over HTTP, or the user will be vulnerable to some attacks and surveillance. For example, having scripts etc. loaded insecurely on an HTTPS page makes the user vulnerable to attacks. Also having only a certain page that contains sensitive information (such as a log-in page) of a website loaded over HTTPS, while having the rest of the website loaded over plain HTTP, will expose the user to attacks. On a site that has sensitive information somewhere on it, every time that site is accessed with HTTP instead of HTTPS the user and the session will get exposed. Similarly, cookies on a site served through HTTPS have to have the secure attribute enabled.

  1. SSL: Intercepted today, decrypted tomorrow, Netcraft, 2013-06-25.
  2. Law Enforcement Appliance Subverts SSL, Wired, 2010-04-03.
  3. New Research Suggests That Governments May Fake SSL Certificates, EFF, 2010-03-24.
Retrieved from "http://www.gabormelli.com/RKB/index.php?title=HTTPS_Protocol&oldid=762431"