HTTPS Explained—Understanding the Secure Connection Protocol

HTTPS Explained: Understanding the Secure Connection Protocol

If you own a website then I can guarantee that cyber security is a serious concern. Nowadays we share so much of our private information online that, whether we are sending an email or doing our online banking, it is always important to know that the page we are on is secure. The first sign of this is often indicated by that wonderful green padlock in the address bar of the browser, but what about when a page is not secure, would you notice?

Everyone, including technology giants like Google and Mozilla, wants secured websites with the prefix HTTPS instead of HTTP.

However, the question is “What is HTTP vis-a-vis HTTPS?

HTTP is a twenty-year-old protocol on which the World Wide Web was built. HTTP stands for “Hypertext Transfer Protocol” and offers a method of data communication for the Internet. The problem with HTTP connections is that they are unsecured. This means that any data transferred with the HTTP protocol is out in the open which means the data being transferred can be intercepted and even manipulated by third parties.

To combat this, a Secure Sockets Layer(SSL) was created. SSL is a protocol for encrypting communication so that it can no longer be seen or affected by third parties. As SSL evolved it was replaced by Transport Layer Security(TLS). Both SSL and TLS accomplish the same goal, but TLS is a more secure way of encrypting that information.

If anyone wonders what HTTPS really is and why you see a padlock sign/icon in your internet browser, now is the time to explain it. You may have seen 'https://' before a domain address in the browser's URL bar when using the Internet. But have you ever wondered what HTTPS means and what the full form of HTTPS is?


{tocify} $title={Table of Contents}

What exactly is HTTPS?

HTTPS is an acronym for Hyper Text Transfer Protocol Secure which is an encrypted version of HTTP, a security-enhanced version of Hypertext Transfer Protocol (HTTP),  the application protocol through which all data communication on the web happens. It is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site. It is also the main protocol used for transferring data over the World Wide Web. HTTPS uses a combination of Transport Layer Security(TLS) and Secure Sockets Layer(SSL). This establishes and ensures a secure encrypted connection between the host server and the browser.

So, “HTTP versus HTTPS” is the difference between providing a secure, encrypted connection to your website and not choosing to do so. The former HTTP is an insecure way of communicating via the internet, whereas the latter HTTPS is not.

The human mind operates by association. With one item in its grasp, it snaps instantly to the next that is suggested by the association of thoughts, in accordance with some intricate web of trails carried by the cells of the brain.

What does 'Hypertext' in HTTP(S) mean?

Hypertext is a specific type of text that contains a link. This means that if we click on a word or text on a webpage that has a link with it, we will be redirected to a new web page based on the specified link.

Hypertext is the presentation of information as a linked network of nodes which readers are free to navigate in a non-linear fashion. It allows for multiple authors, a blurring of the author and reader functions, extended works with diffuse boundaries, and multiple reading paths.

Hypertext, at its most basic level, is a DBMS [database management system] that lets you connect screens of information using associative links. At its most sophisticated level, hypertext is a software environment for collaborative work, communication, and knowledge acquisition. Hypertext products mimic the brain's ability to store and retrieve information by referential links for quick and intuitive access.

In 1990, the internet as we now know it was born. Right from the start, it has always used the Hyper Text Transfer Protocol (HTTP) for moving information around the world. That is why the beginning of web addresses starts with HTTP.

However, plain old 'HTTP' is not secure because it transports information in plain text. This means that anyone who intercepts the traffic can read it. That includes not only the hacker who is monitoring the coffee shop’s Wi-Fi, but your internet service provider (ISP) as well. It is like a switchboard operator at a telecom company who can listen in on any phone call.

Due to continuous innovation, the use of the internet evolved and people started using the internet for sensitive data (like credit card numbers), internet banking, shopping online, etc. So a way had to be figured out to make HTTP secure so that no one could see your passwords, or credit card numbers as they zoomed between your browser and the web server.

So in 1994, Netscape Communications enhanced HTTP with some encryption. They basically married a new encryption protocol named Secure Socket Layer (SSL) to the original HTTP. This became known as “HTTP over SSL” or “HTTP Secure” otherwise now known as HTTPS.

The idea, as stated by many, is to migrate the entire internet into a completely HTTPS environment, where all website traffic is encrypted by default.

In HTTPS, transactions are carried out with the help of a key-based encryption algorithm. The Public Key Infrastructure(PKI) is used because it is supported by most web browsers, while the private key is used by the webserver of the particular website that you want to access. The distribution of public keys is done through certificates that are maintained by web browsers.

So why encrypt the entire internet?

HTTPS does as much for privacy as it does for security. It is one thing to keep hackers from reading your data or injecting their own code into your web sessions (which HTTPS prevents), but privacy is the other side of the coin which is important for each and everyone of us.

We know that Internet Service Providers(ISPs), governments and Big Data collection firms like snooping on us and storing our traffic for what ever their reasons maybe. Some of us may not care or be bothered by that until for example you are surfing information on a personal medical condition. You may ask, whose business is that? That kind of information is always useful to someone, which is why they want it and keep it forever.

This is why many websites choose to encrypt your traffic even when you are not sending sensitive information. Your behaviour online should remain as private as possible.

How HTTPS Works

HTTPS pages typically use one of two secure protocols to encrypt communications – SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an ‘asymmetric’ Public Key Infrastructure (PKI) system. An asymmetric system uses two ‘keys’ to encrypt communications, a ‘public’ key and a ‘private’ key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.

The ‘private’ key should be kept strictly protected and should only be accessible to the owner of the private key. In the case of a website, the private key remains securely lodged on the web server. The public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.

Basic Work Flow of HTTPS:

Step 1*– A user requests any website which uses an HTTPS certificate client open url as https://web-page

Step 2*– Then the server immediately responds to the initial connection by offering a list of encryption methods the webserver supports.

Step 3*– The client selects a connection method. Then the client and server exchange certificates to authenticate their identities.

Step 4*– The web server and client exchange the encrypted information after ensuring that both are using the same encryption key, and the connection is closed.

Enabling HTTPS requires the use of a valid SSL/TLS certificate. This digital certificate is a file that contains information about your organisation to help it authenticate as well as other cryptographic information that helps the site users communicate with it securely through encryption.

What is an HTTPS SSL certificate?

SSL is an abbreviation for Secure Sockets Layer. SSL technology developed by Netscape was created for exchanging private information and documents on the internet.

SSL Certificates are small data files that digitally bind a cryptographic key to an organisation’s details. So an SSL (Secure Socket Layer) Certificate is a digital certificate that provides authentication for a website. SSL certificates create trust with users by verifying that websites are secure and legitimate. These digital credentials are small data files that activate the padlock icon and https protocol.

When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer, and logins, and more recently it has become the norm when securing browsing of social media sites. Through SSL, an encrypted connection is established primarily between the web server (host) and the web browser (user).

An SSL is very essential if you have an online store, process credit card details or have any kind of user login, especially if it accesses personal information.

SSL Certificates bind together:

  • A domain name, server name or hostname.
  • An organisational identity (i.e. company name) and location.

An organisation needs to install the SSL Certificate onto its web server to initiate a secure session with browsers. Once a secure connection is established, all web traffic between the web server and the web browser will be secure.

How Do SSL Certificates Work?

SSL Certificates use something called public key cryptography. This particular kind of cryptography harnesses the power of two keys which are long strings of randomly generated numbers. One is called a private key and the other a public key. A public key is known to your server and available in the public domain. It can be used to encrypt any message. If A is sending a message to B she will lock it with B’s public key but the only way it can be decrypted is to unlock it with B’s private key. B is the only one who has his private key. So B is the only one who can use this to unlock A’s message. If a hacker intercepts the message before B unlocks it, all they will get is a cryptographic code that they cannot break, even with the power of a computer.

If we look at this in terms of a website, the communication is happening between a website and a server. Your website is A and server is B.

How SSL Works

  • When a browser wants to connect a web server with SSL certificates, the web browser gives its identity before connecting with the server.
  • The web server then sends its web certificate to the browser.
  • The browser checks the web server to be trusted and sends a message to the web server.
  • Then the browser and web server shows digitally encrypted data.
  • This compatibility shows only the web browser and the web server, displaying data trustable amongst themselves and it shows the data security.

Why Do You Need An SSL Certificate?

SSL Certificates protect your sensitive information such as credit card information, usernames, passwords, etc.

They also:

  • Keep data secure between servers
  • Increase your Google rankings
  • Build/enhance customer trust
  • Improve conversion rates

When a certificate is successfully installed on your server, the application protocol (also known as HTTP) will change to HTTPs, where the ‘S’ stands for ‘secure’. Depending on the type of certificate you purchase and what browser you are surfing the internet on, a browser will show a padlock or green bar in the browser when you visit a website that has an SSL Certificate installed.

When you request an HTTPS connection to a webpage, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the ‘SSL handshake’. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website.

When a trusted SSL Digital Certificate is used during an HTTPS connection, users will see a padlock icon in the browser address bar. When an Extended Validation Certificate is installed on a web site, the address bar will turn green.

All communications sent over regular HTTP connections are in ‘plain text’ and can be read by any hacker that manages to break into the connection between your browser and the website. This presents a clear danger if the ‘communication’ is on an order form and includes your credit card details and or other important personal details. With an HTTPS connection, all communications are securely encrypted. This means that even if somebody managed to break into the connection, they would not be able decrypt any of the data which passes between you and the website.

How to Identify the SSL-Certified Website?

The URL of an SSL certified website starts with HTTPS. So when you see HTTPS on your website URL then you know it is verified with an SSL certificate. As mentioned earlier, the last "S" in HTTPS means a secure server.

Benefits of having SSL Certificates:

  • There is no fear of providing personal information. Personal information such as credit cards, usernames, passwords and other important personal information that may be required on a website, go to your receipts by passing multiple PCs. If they are interrupted by a hacker, then your valuable information can be stolen. If you send information via SSL certificate, then you can be sure that it is not visible to anyone other than the recipient.
  • SSL trust increases. SSL gives a green signal at the beginning of the website, which gives a message of security to the visitor. Anyone can't take any information from you or your visitors through the phishing attack on the SSL Enabled Web site. It makes the visitor's credible for your website.
  • Undeclared Brand Promotion. SSL increases the visitor's trust in using your website. So your brand automatically engages the visitor. Information Technology experts believe that SSL works as the undeclared brand of any digital company.

SSL works as additional security for your website. If you have created your website as a membership site or by taking a user's data through a form, and if your web portal is secure then the third person will not be able to get access to the information.

How does HTTPS (SSL) encryption work?

An https connection is established by using Asymmetric Cryptography. The Server provides a certificate that demonstrates the server’s identity. At this moment, the Server is in possession of a Public and a Private Key.

Process when a sender and a recipient wants to exchange data securely

The Recipient transmits his public key (The public key can be given to anyone without any worries), but keeps the private key. So, the Sender can encrypt the message with the Recipient’s public key. This encrypted message can only be decrypted by the Recipient, because he’s the only one on this planet who is in possession of the private key.

When using HTTPS the Sender is the Client and the Recipient is the Server.

Below is a very simplified picture representation:

  1. The Client tries to establish a connection to the server. (Hello!) The server responds, that it accepts only secure communication.
  2. The Server sends its Public Key to the Client.
  3. The Client generates a random value (in this case it is 243) and encrypts this number by using the Server’s public key.
  4. The Server is the only one that can decrypt the data with its Private Key. After decryption, it can read the secret key (243).
  5. Then the transfer of data begins.

To prevent an attacker from guessing the secret key(243), it is regenerated from time to time. The secret key is regenerated at regular intervals.

Credit card companies and other regulatory bodies have also declared war against sites that are not secure. (Think PCI DSS, HIPAA, GDPR, CCPA, etcetra.)

As you can see in the picture above, public key (asymmetric) encryption is only used briefly in the beginning to exchange the third key which is used for the rest of the connection. But what’s the point of switching from asymmetric to symmetric? There are a number of reasons.

First, public key encryption only goes one way. Your encrypted data going to the website is secure only because the web server keeps the private key a secret. But if the server tried sending encrypted data back to you with the same key-pair, it would not be secure because everyone has access to its public key. That means anyone could decrypt it. You would have to establish two asymmetric sessions, one going each way. It is not feasible for your computer to do that securely.

Secondly, the mathematical overhead for asymmetric encryption is far higher and therefore requires much more computing power to sustain. It is not suitable for long sessions because of the processing power it takes to keep it going. Public key encryption uses much longer keys, which makes it far more labour intensive.

Mobile Security with HTTPS

HTTPS also protects traffic on mobile devices. This is extremely important as more and more people are using their phones and tablets to surf the Internet and make e-commerce purchases. The good news is that the vast majority of SSL/TLS certificates are mobile friendly, meaning that once you purchase one, install it and configure your server correctly, you are good to go on mobile devices.

But what about Apps? Both Apple and Google, two of the leaders in the mobile phone industry, are pushing mobile apps towards encryption by default. Apple has App Transport Security(ATS) on its iOS, while Google has the CleartextTraffic manifest attribute on Android. Apple’s ATS is pushing towards encryption a little harder as its default setting is to have encryption on, while on the Android platform it’s not. But both are making a clear indication that HTTPS will be and is the standard.

What HTTPS Does Not Do

It’s easy to think of HTTPS as a miracle security solution for the internet, but there is a lot that it cannot do.

HTTPS does not;

1. Hide the names of websites that you are visiting

This is because the name (aka “domain”) of the website is sent using DNS (domain name service), which is not inside the HTTPS tunnel. It is sent before the secure connection is made. An eavesdropper in the middle can see the name of the website you are going to (e.g. TipTopSecurity.com), they just can’t read any of the actual content that’s being transferred back and forth. It won’t be until DNSSEC is fully implemented that this will change.

2. Protect you from visiting a dangerous website

HTTPS does not ensure that the website, itself is safe. Just because you are connecting securely doesn’t mean you are not connecting to a website run by bad guys. We try to fix this problem can be fixed with trusted Certificate Authorities but the system isn’t perfect.

3. Provide anonymity

HTTPS does not hide your physical location or personal identity. Your personal IP address (your address on the internet) has to be attached to the outside of the encrypted data, because the internet wouldn’t know where to send it if your IP address was encrypted, too. And it also doesn’t obscure your identity to the website you’re visiting. The site you visit still knows everything about you that it would on a non-secure connection.

4. Prevent you from getting viruses

HTTPS is not a filter. It is possible to get viruses and other malware over an HTTPS connection. If the web server is infected or you’re on a malicious website that’s handing out malware, it will be sent inside the HTTPS stream just like everything else. HTTPS does, however, prevent anyone in the middle from injecting malware into your moving traffic.

5. Protect your computer from being hacked

HTTPS only protects the data while it’s moving between your computer and the web server. It does not offer any protection for your actual computer or the server, themselves. This also means that if there’s malware that’s monitoring traffic on one end of the connection, it can read the traffic before and after it’s encrypted inside the HTTPS stream.

So, HTTPS only protects your information while it’s flowing through the wires (or the air). It cannot protect your computer, your identity, or hide which sites you are visiting. HTTPS is only one part of a safer internet. If you are looking for more privacy then a VPN service would be the next step. If you want more info about VPN, check out my article about VPN.

Advantages of HTTPS:

  • It uses SSL technology to protect user information from unauthorised sources which builds the trust of users.
  • It encrypts the connection and helps users to do secure online transactions such as online banking
  • HTTPS users the redirect option to provide increased security. This means that if a user enters http:// instead of https://, it will automatically redirect to an https:// and establish a secure connection.
  • An independent authority verifies the identity of the owner of the certificate. So each SSL certificate contains unique, certified information about the certificate owner.
  • Secure Communication: https makes a secure connection by establishing an encrypted link between the browser and the server or any two systems.
  • Data Integrity: https provides data integrity by encrypting the data and so, even if hackers manage to trap the data, they cannot read or modify it.
  • Privacy and Security: https protects the privacy and security of website users by preventing hackers to passively listen to communication between the browser and the server.
  • Faster Performance: https increases the speed of data transfer compared to http by encrypting and reducing the size of the data.
  • SEO: Use of https increases SEO ranking. In Google Chrome, Google shows the Not Secure label in the browser if users' data is collected over http.
  • Future: https represents the future of the web by making internet safe for users and website owners.

Disadvantages of HTTPS:

• HTTPS is comparatively slower as it takes a little bit of time during encryption.

• Because of the encryption process, HTTPS includes extra overhead during data transfer.

• You have to pay for an SSL certificate to use HTTPS.

• It can cause browser caching issues for legacy browsers (e.g., IE6).

How HTTPS helps SEO

Most of all the benefits of HTTPS tie back to SEO:

  • Lightweight ranking signal
  • Better security and privacy
  • Preserves referral data
  • Enables the use of modern protocols that enhance security and site speed

Lightweight ranking signal

Google announced that HTTPS is a lightweight ranking factor way back in 2014. It is more like a tiebreaker than something that would skyrocket your rankings if other ranking factor variables remained unchanged.

This is basically Google’s contribution to faster worldwide HTTPS adoption.

Preserves referral data

If your website is still on HTTP and you are using web analytics services like Google Analytics, then no referral data is passed from HTTPS to HTTP pages.  Most of the web runs on HTTPS these days, the source of most referral traffic (clicks on links from other websites) will be labelled as direct in most analytics software.

One disadvantage of this is that it makes your data messy and skewed. Another is that you are unable to see your best referral sources.

Enables the use of modern protocols that enhance security and site speed

On paper, HTTPS is slower than HTTP because of the added security features. However, having HTTPS is the prerequisite for using the latest security and web performance technology.

In other words, besides security, HTTPS also enables your website to improve its page speed when you use protocols like TLS 1.3 and HTTPS/2. And apart from better user experience, Google considers page speed as a lightweight ranking factor similar to HTTPS.

How to set up HTTPS

This depends entirely on your particular scenario.

1. If you are launching a new website

Go with HTTPS from the beginning and you won’t ever have to worry about HTTP and errors associated with the migration.

All you need to do is to have a good hosting provider that will guide you through the process, and that supports the latest HTTP and TLS protocol versions. After all is up and running, implement HSTS as the last step in order to seal the security.

2. If you already have an HTTPS-enabled website

The fact that you are reading this article shows that it is probably not set up correctly.

3. If you still have a website running on HTTP

It will take a while to get everything prepared and done. The complexity of the migration depends on:

  • The size and complexity of your website
  • What kind of CMS you use
  • Your hosting/CDN providers
  • Your technical abilities

There are a lot of variables at play. I suggest you check the documentation of your CMS/server/hosting/CDN and proceed accordingly with caution.

If all of this sounds too technical for you, hire a professional. It will save you hours of your time, save your nerves, and ensure future-proof implementation.

How HTTP Puts You At Risk

When you connect to a website with regular HTTP, your browser looks up the IP address that corresponds to the website, connects to that IP address, and assumes it’s connected to the correct web server. Data is sent over the connection in clear text. An eavesdropper on a Wi-Fi network, your internet service provider, or government intelligence agencies like the NSA can see the web pages you’re visiting and the data you are transferring back and forth.

There are big problems with this. For one thing, there’s no way to verify you’re connected to the correct website. Maybe you think you accessed your bank’s website, but you are on a compromised network that’s redirecting you to an impostor website. Passwords and credit card numbers should never be sent over an HTTP connection, or an eavesdropper could easily steal them.

These problems occur because HTTP connections are not encrypted. HTTPS connections are.

How HTTPS Encryption Protects You

HTTPS is much more secure than HTTP. When you connect to an HTTPS-secured server—secure sites like your bank’s will automatically redirect you to HTTPS—your web browser checks the website’s security certificate and verifies it was issued by a legitimate certificate authority. This helps you ensure that, if you see “https://bank.com” in your web browser’s address bar, you’re actually connected to your bank’s real website. The company that issued the security certificate vouches for them. Unfortunately, certificate authorities sometimes issue bad certificates and the system breaks down. Although it is not perfect, HTTPS is still much more secure than HTTP.

When you send sensitive information over an HTTPS connection, no one can eavesdrop on it in transit. HTTPS is what makes secure online banking and shopping possible.

It also provides additional privacy for normal web browsing, too. For example, Google’s search engine now defaults to HTTPS connections. This means that people can’t see what you’re searching for on Google.com. The same goes for Wikipedia and other sites. Previously, anyone on the same Wi-Fi network would be able to see your searches, as would your Internet service provider.

In some countries, your Internet service provider is allowed to snoop on your web browsing history and sell it to advertisers. With HTTPS, your Internet service provider can’t see as much of that data. They only see that you are connecting to a specific website, as opposed to which individual pages you are viewing. This means much more privacy for your browsing.

HTTP allows your Internet service provider to tamper with the web pages you are visiting, if they want. They could add content to the web page, modify the page, or even remove things. For example, ISPs could use this method to inject more advertisements into web pages you visit.

Look Out for Phishing Tricks

The presence of HTTPS itself is not a guarantee that a site is legitimate. Some clever phishers have realised that people look for the HTTPS indicator and lock icon, and may go out of their way to disguise their websites. So you should still be wary. Don’t click links in phishing emails, or you may find yourself on a cleverly disguised page. Scammers can get certificates for their scam servers, too. In theory, they are only prevented from impersonating sites they don’t own. You may see an address like https://google.com.3526347346435.com. In this case, you’re using an HTTPS connection, but you’re really connected to a sub-domain of a site named 3526347346435.com—not Google.

Other scammers may imitate the lock icon, changing their website’s favicon that appears in the address bar to a lock to try to trick you. Keep an eye out for these tricks when checking your connection to a website.

Conclusion

HTTPS was originally intended for passwords, payments, and other sensitive data, but the entire web has now moved towards it.

It is a good idea to build a website over HTTPS or move from HTTP to HTTPS. Previously, websites being served over HTTP would receive browser warnings about being unsecured. This can dissuade potential traffic from visiting and have adverse effects on your website. HTTPS was mostly used by websites that have online payment gateway support. This helped secure confidential details of users such as credit card details and other personal information. But, after Google recommended sites to use HTTPS to achieve better search engine rankings, most sites switched to HTTPS. Nowadays, almost every website uses HTTPS.

 

Previous Post Next Post

Post a Comment

Post a Comment