HTTPS : Secure Hypertext Transfer Protocol

HTTPS is an application protocol based on HTTP, for the secure transfer of data from Hyper Text, it is the secure version of HTTP. It is used primarily by banks, online stores, and any service that requires the sending of personal data or passwords .

 

Technical Specifications of HTTPS : Secure Hypertext Transfer Protocol

 

The system that uses the?HTTPS encryption?is based on SSL / TLS to create an encrypted channel (whose encryption level depends on the remote server and the browser used by the customer) which is more suitable for sensitive data traffic versus the HTTP protocol. In this way HTTPS ensures that sensitive information (username and password usually) can not be used by an attacker who has managed to intercept the data transfer connection, because all you’ll get is an encrypted data stream that be impossible to break.

The port for this HTTPS protocol is 443. In the HTTP protocol the URLs begin with “http://” and uses the default port 80 , HTTPS URLs begin with “https://” and use port 443 by default.

HTTP is uncertain and is subject to attack it may allow an attacker to access a website accounts and confidential information. HTTPS is designed to withstand such attacks and less insecure. HTTP operates at the highest layer of the OSI Model, the Application layer, but the security protocol operates at a lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message upon receipt. Strictly speaking, HTTPS is not a separate protocol, but refers the use of HTTP on a Secure Socket Layer (SSL) or a connection to Security Transport Layer (TLS).To prepare a web server that accepts HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a Certification Authority for the web browser will accept it.

The authority certifies that the certificate holder. The HTTPS system can also be used for authentication of customers in order to limit access to a web server to authorized users. To do this, typically the site administrator creates a certificate for each user, a certificate that is stored within your browser. Typically, this contains the name and mailing address of the authorized user and is reviewed automatically each reconnect to verify the user’s identity, potentially without ever having to enter a password. A certificate can be revoked if it has already expired, for example, when the secret private key has been compromised. Newer browsers such as Firefox , Opera , and Internet Explorer on Windows 7 implemented the Certificate Status Protocol Online (OCSP) to verify. The browser sends the serial number of the certificate or certification authority, a delegate via OCSP and authority to respond, telling the browser whether or not to consider the certificate as valid.

 

Acquiring HTTPS Certificates

 

Purchasing HTTPS certificates can cost between U.S. $ 13 to U.S. $ 1500 per year. Organizations can also be your own certification authority for HTTPS, particularly if they are responsible for establishing browsers access to their own sites (eg sites on a company intranet , or major universities).

 

Limitations of HTTPS or Secure Hypertext Transfer Protocol

 

The level of protection of HTTPS depends on the accuracy of the implementation of the web browser, the server software and encryption algorithms. HTTPS is vulnerable when applied to static content. The entire site can be indexed using a web spider and the URI of the resource can be guessed knowing only the size of the request / response. This allows an attacker to access the plaintext (static content) allowing a cryptographic attack over HTTPS connection .

Because SSL operates on HTTP, SSL servers can only strictly present a certificate to a combination of port / IP in particular. This means that in most cases is not recommended to use name-based virtual hosting with HTTPS.

 

This article on HTTPS is written by Mr. Kanai Lal Saha, who has been regularly writing excellent articles on core computing, Virtualization and Cloud Computing.