Miracle Software Systems, Inc. HYPERTEXT TRANSFER PROTOCOL SECURE By Bhaskararao VB
Agenda History Overview Browser Integration Difference from HTTP Network layers Server setup Acquiring Certificates Conclusion
History Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser. Originally, HTTPS was used with SSL protocol. As SSL evolved into Transport Layer Security (TLS), the current version of HTTPS was formally specified by RFC 2818 in May 2000.
Overview Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. HTTPS provides authentication of the web site and associated web server that one is communicating with, which protects against Man-in-the-middle attacks.
Continue Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication. HTTPS connections were primarily used for payment transactions on the World Wide Web, e- mail and for sensitive transactions in corporate information systems.
Continue HTTPS began to see widespread use for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private. HTTPS is especially important over unencrypted networks such as WiFi as anyone on the same local network can do packet sniffing and discover sensitive information.
Continue As on 2012-06-22 only 12.3% of the Internets 186821 most popular web sites have a secure implementation of HTTPS. This leaves 87.7% (163776) open to some attacks. This survey is powered by Qualys’ SSL Server Test, in which anyone can audit the HTTPS implementation of a specified web server.
Continue The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.
Browser Integration Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to a site with an invalid certificate, would present the user with a dialog box asking if they wanted to continue.
Continue Newer browsers display a warning across the entire window. Most browsers also display a warning to the user when visiting a site that contains a mixture of encrypted and unencrypted content.
Difference from HTTP HTTPS URLs begin with "https://" and use port 443 by default, whereas HTTP URLs begin with http:// and use port 80 by default. HTTP is insecure and is subject to man-in-the- middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information.
Continue HTTPS is designed to withstand such attacks and is considered secure against such attacks .
Network layers HTTP operates at the highest layer of the OSI Model, the Application layer; but the security protocol operates at a lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message upon arrival. Strictly speaking, HTTPS is not a separate protocol, but refers to use of ordinary HTTP over an encrypted SSL/TLS connection.
Continue Everything in the HTTPS message is encrypted, including the headers, and the request/response load.
Server setup To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a trusted certificate authority for the web browser to accept it without warning.
Acquiring certificates Authoritatively signed certificates may be free or cost between US$8 and $1,500 per year. However, in the case of free certificate authorities such as CACert, popular browsers (e.g. Firefox, Chrome, Internet Explorer) may not include the trusted root certificates, which may cause untrusted warning messages to be displayed to end users.
Continue Organizations may also run their own certificateauthority, particularly if they are responsible for settingup browsers to access their own sites (for example,sites on a company intranet, or major universities). They can easily add copies of their own signingcertificate to the trusted certificates distributed withthe browser.
Conclusion Finally I concluded that HTTPS is the security Protocol over HTTP where HTTPS authenticates the user as well as checks the certificates. And it doesn’t entered the man-in-the-middle attack or hackers who disturbs the original data.
References Www.wikipedia.com Trustworthy Internet Movement. https://www.trustworthyinternet.org/ssl-pulse/. HTTPS Everywhere EFF projects . Lawrence, Eric (31 January 2006). "HTTPS Security Improvements in Internet Explorer 7“. Myers, M; Ankney, R; Malpani, A; Galperin, S; Adams, C (June 1999). “Online Certificate Status Protocol – OCSP. Internet Engineering Task Force.