HTTP Secure ( HTTPS ) is an extension of Hypertext Transfer Protocol (HTTP) for secure communications over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or earlier, its predecessor, Secure Sockets Layer (SSL). This protocol is also commonly referred to as HTTP via TLS , or HTTP over SSL .
The primary motivation for HTTPS is accessed website authentication and privacy protection and data integrity exchanged on the go. It protects against man-in-the-middle attacks. Two-way encryption communication between client and server protects against interception and communication disruption. In practice, this provides reasonable assurance that a person communicates without interference by an attacker with a website that is meant to communicate with, as opposed to a fraudster.
Historically, HTTPS connections are primarily used for payment transactions on the World Wide Web, e-mail and for sensitive transactions in enterprise information systems. Since 2018, HTTPS is more commonly used by web users than unsafe native HTTP, primarily to protect the authenticity of pages on all types of websites; secure the account; and maintain private user communications, identity, and web browsing.
Video HTTPS
Ikhtisar
The Uniform Resource Identifier (URI) HTTPS scheme has a syntax of use identical to the HTTP scheme. However, HTTPS gives browser signals to use an additional SSL/TLS encryption layer to protect traffic. SSL/TLS is perfect for HTTP, as it can provide protection even if only one side of authenticated communications. This is the case with HTTP transactions over the Internet, where usually only authenticated servers (by clients checking server certificates).
HTTPS creates a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that using adequate cipher suites and server certificates are verified and trusted.
Because HTTPS fully supports HTTP over TLS, all of the underlying HTTP protocols can be encrypted. This includes the request URL (requested for a particular web page), query parameters, headers, and cookies (which often contain identity information about the user). However, since the host address (website) and port number are part of the underlying TCP/IP protocol, HTTPS can not protect its disclosure. In practice this means that even on a properly configured web server, eavesdroppers can infer IP addresses and port numbers from web servers (sometimes even domain names eg www.example.org, but not the entire URL) this one communicates with, as well as the amount (data transferred) and the duration (duration of the session) of communication, although not the content of the communication.
Web browsers know how to trust HTTPS websites based on the certificate authority that is preinstalled in their software. The certificate authority (such as Let's Encrypt, Digicert, Comodo, GoDaddy and GlobalSign) in this way is trusted by the creator of the web browser to provide a valid certificate. Therefore, the user must trust HTTPS connection to the website if and only if all of the following are true:
- The user believes that the browser software correctly implements HTTPS with the certificate authority installed correctly.
- The user trusts the certificate authority to guarantee only for legitimate websites.
- The website provides a valid certificate, which means it is signed by a trusted authority.
- The certificate correctly identifies the website (e.g., when the browser visits "https://example.com", the received certificate is correct for "example.com" and not another entity).
- The user believes that the protocol encryption layer (SSL/TLS) is quite secure against bugs.
HTTPS is critical over unsecured networks (such as public Wi-Fi access points), because anyone on the same local network can sniff packets and find sensitive information that is not protected by HTTPS. In addition, many free and paid WLAN networks engage in packet injections to serve their own ads on web pages. However, this can be maliciously exploited in many ways, such as injecting malware into web pages and stealing personal user information.
HTTPS is also very important for connecting through Tor anonymity network, because malicious Tor nodes can corrupt or change content that passes them in unsafe way and inject malware into the connection. This is one of the reasons why the Electronic Frontier Foundation and the Tor project started developing HTTPS Everywhere, which is included in the Tor Browser Bundle.
The more information revealed about global mass surveillance and criminals stealing personal information, the use of HTTPS security on all websites is becoming increasingly important regardless of the type of Internet connection used. Although metadata about individual pages users visit is insensitive, when combined, they can reveal many things about the user and compromise user privacy.
Deploying HTTPS also allows the use of HTTP/2 (or its predecessor, the now-outdated SPDY protocol), which is a new generation of HTTP, designed to reduce page load time, size, and latency.
It is recommended to use HTTP Strict Transport Security (HSTS) with HTTPS to protect users from man-in-the-middle attacks, especially stripping SSL.
HTTPS should not be confused with the HTTP Security (S-HTTP) used slightly specified in RFC 2660.
Usage on websites
As of April 2018, 33.2% of Alexa's 1,000,000 websites use HTTPS as default, 57.1% of the 137,971 most popular websites on the Internet have a secure HTTPS implementation, and 70% of page load (measured by Firefox Telemetry ) using HTTPS.
Browser integration
Most browsers display a warning if they receive an invalid certificate. Older browsers, when linking to sites with invalid certificates, will present users with a dialog box asking if they want to continue. The new browser displays a warning throughout the window. The new browser also prominently displays the site's security information in the address bar. Extended validation certificates change address bar to green in newer browsers. Most browsers also display a warning to users while visiting a site that contains a mixture of encrypted and unencrypted content.
The Electronic Frontier Foundation, argues that "In an ideal world, every web request can be delayed to HTTPS", has provided an add-on called HTTPS Everywhere for Mozilla Firefox that allows HTTPS by default for hundreds of frequently used websites. The beta version of this plugin is also available for Google Chrome and Chromium.
Maps HTTPS
Security
HTTPS security is from the underlying TLS, which typically uses long-term public and private keys to generate short-term session keys, which are then used to encrypt the data stream between client and server. The X.509 certificate is used to authenticate servers (and sometimes clients as well). As a result, the certificate authority and public key certificate are required to verify the relationship between the certificate and the owner, as well as to generate, sign, and manage the validity of the certificate. While this can be more useful than verifying identity through trust networks, the mass supervision disclosure in 2013 draws the attention of certificate authorities as potential weak points that allow man-in-the-middle attacks. An important property in this context is confidentiality in the future, ensuring that encrypted communications recorded in the past can not be retrieved and decrypted if the secret key or long-term password is compromised in the future. Not all web servers provide future confidentiality.
Sites must be completely hosted via HTTPS, regardless of the content loaded via HTTP - for example, having scripts loaded in an unsafe manner - or users will be vulnerable to multiple attacks and surveillance. Also having only certain pages containing sensitive information (such as log-in pages) from websites loaded via HTTPS, while other websites loaded over ordinary HTTP, would expose users to attacks. On sites that have sensitive information somewhere on it, whenever the site is accessed with HTTP instead of HTTPS, users and sessions will be exposed. Similarly, cookies on sites served over HTTPS must have secure attributes enabled.
Technical
Differences from HTTP
The HTTPS URL starts with "https://" and uses port 443 by default, while HTTP URL starts with "http://" and uses port 80 by default.
HTTP is not encrypted and vulnerable to man-in-the-middle and eavesdropping attacks, which can allow attackers to gain access to website accounts and sensitive information, and modify web pages to inject malware or advertisements. HTTPS is designed to withstand such attacks and is considered safe against them (with the exception of older and deprecated SSL versions).
Network layer
HTTP operates on the highest layer of the TCP/IP model, Application layer; as well as the TLS security protocol (operates as a lower layer lower than the same layer), which encrypts HTTP messages before transmitting and decrypting messages on arrival. Strictly speaking, HTTPS is not a separate protocol, but it refers to the normal use of HTTP over an encrypted SSL/TLS connection.
Everything in HTTPS messages is encrypted, including headers, and demand/response loads. With the exception of possible CCA cryptographic attacks described in the limitations section below, an attacker can only know that a connection exists between both parties and their domain name and IP address.
Server settings
To set up a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a trusted certificate authority for the web browser to receive it without warning. The authority states that the certificate holder is the operator of the web server that serves it. Web browsers are generally distributed with a list of signature certificate of the main certificate authority so that they can verify the certificate signed by them.
Getting certificate
Let's Encrypt, launched in April 2016, gives free and automated SSL/TLS certificates to websites. According to the Electronic Frontier Foundation, "Let's Encrypt" will make the transition from HTTP to HTTPS "as easy as issuing a single command, or clicking a button.". The majority of web hosts and cloud providers are already utilizing Let's Encrypt, providing free certificates to their customers.
Use as access control
This system can also be used for client authentication to restrict access to web servers to authorized users. To do this, the site administrator typically creates a certificate for each user, a certificate that is loaded into their browser. Usually, it contains the name and e-mail address of the authorized user and is automatically checked by the server on each re-connection to verify the user's identity, potentially without entering a password.
In case of compromised private key (private)
An important property in this context is the perfect future secret (PFS). Having one of the long-term asymmetric secrets used to form an HTTPS session should not make it easier to get a short-term session key to then decrypt the conversation, even later. Diffie-Hellman key exchange (DHE) and Elliptic Diffie-Hellman key exchange (ECDHE) curves in 2013 are the only ones known to own the property. Only 30% of Firefox, Opera and Chromium Browser sessions use it, and almost 0% of Safari and Microsoft Internet Explorer Apple sessions. Among the larger internet providers, only Google supports PFS since 2011 (Country September 2013).
Certificates may be revoked before they expire, for example because private key confidentiality has been compromised. Newer popular versions of browsers such as Firefox, Opera, and Internet Explorer in Windows Vista implement the Online Certificate Status Protocol (OCSP) to verify that this is not the case. The browser sends the certificate serial number to the certificate authority or its delegate through the OCSP and the authority responds, notifying the browser whether the certificate is valid.
Limitations
SSL and TLS encryption can be configured in two modes: simple and reciprocity . In simple mode, authentication is only performed by the server. The reciprocal version requires the user to install a private client certificate in the web browser for user authentication. In both cases, the level of protection depends on the correctness of the software implementation and the cryptographic algorithm used.
SSL/TLS does not prevent the indexing of sites by web crawlers, and in some cases, encrypted source URIs can be inferred by knowing only the size of the intercepted request/response. This allows an attacker to have access to text (static content publicly available), and encrypted text (encrypted version of static content), which allows cryptographic attacks.
Because TLS operates at protocol level below HTTP, and has no knowledge of higher level protocols, TLS servers can only present one certificate for a particular address and port combination. In the past, this meant that it was not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before it encrypts the connection, although many older browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista.
From an architectural point of view:
- The SSL/TLS connection is managed by the first machine that started the TLS connection. If, for any reason (routing, traffic optimization, etc.), this front engine is not an application server and must decipher data, a solution must be found to disseminate user authentication or certificate information to the application server, who needs to know who will connect.
- For SSL/TLS with mutual authentication, SSL/TLS sessions are managed by the first server to initiate the connection. In situations where encryption should be deployed on chained servers, automated session time management becomes very difficult to implement.
- With shared SSL/TLS, maximum security, but on the client side there is no way to properly terminate the SSL/TLS connection and disconnect users except by waiting for a server session to end or close all apps related clients.
A sophisticated type of man-in-the-middle attack called SSL stripping was presented at the Blackhat Conference 2009. This type of attack defeats the security provided by HTTPS by changing the https: to http: links, taking advantage of the fact that some Internet users actually type "https" into their browser interface: they are headed to a secure site by clicking links, and thus fooled into thinking that they are using HTTPS when in fact they are using HTTP. The attacker then communicates with the client clearly. This encourages the development of countermeasures in HTTP called HTTP Strict Transport Security.
HTTPS has proven to be vulnerable to various traffic analysis attacks. Attack traffic analysis is a type of side-channel attack that depends on the variation in traffic time and size to infer properties about the encrypted traffic itself. Traffic analysis is possible because SSL/TLS encryption alters the traffic content, but has minimal impact on the size and timing of traffic. In May 2010, a research paper by researchers from Microsoft Research and Indiana University found that sensitive detailed user data can be inferred from side channels such as packet size. More specifically, researchers found that an eavesdropper could deduce the disease/drug/user operation, family income and investment secrets, despite the protection of HTTPS in some high profile web applications and top in health care, taxation, investment and web search. While this work demonstrates HTTPS vulnerabilities for traffic analysis, the approach presented by the authors requires manual analysis and is focused specifically on web applications protected by HTTPS.
The fact that most modern websites, including Google, Yahoo !, and Amazon, using HTTPS is causing trouble for many users trying to access public Wi-Fi hotspots, since Wi-Fi hot spot login pages fail to load if a user tries to open a resource HTTPS. Some websites, such as neverssl.com or nonhttps.com, guarantee that they will always remain accessible by HTTP.
History
Netscape Communications created HTTPS in 1994 for the Netscape Navigator web browser. Initially, HTTPS was used with the SSL protocol. When SSL evolved into Transport Layer Security (TLS), HTTPS was officially fixed by RFC 2818 in May 2000.
See also
- Bullrun (decryption program) - a secret anti-encryption program run by the U.S. National Security Agency
- Computer security
- curl-loader
- Protocol diameter
- HTTPsec
- Moxie Marlinspike
- Optionistic encryption
- Stunnel
References
External links
- RFC 2818: HTTP Through TLS
- RFC 5246: Transport Layer Security Protocol 1.2
- RFC 6101: Secure Sockets Layer (SSL) Protocol Version 3.0
Source of the article : Wikipedia